2706. [bug] Loading a zone with a very large NSEC3 salt could

			trigger an assert. [RT #20368]

diff --git a/CHANGES b/CHANGES
index 6867eb9b5430281c9e949312700240c28a288d48..f0825391eaa0a688dd02053d3416d3e73bb890fb 100644 (file)
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,6 @@
+2706.  [bug]           Loading a zone with a very large NSEC3 salt could
+                       trigger an assert. [RT #20368]
+
 2705.  [bug]           Reconcile the XML stats version number with a later
                         BIND9 release, by adding a "name" attribute to
                         "cache" elements and increasing the version number

diff --git a/bin/tests/nsec3hash.c b/bin/tests/nsec3hash.c
index 4a4a782e299dfa88df973361c62133d3e3934e06..91c78b8fee1c98ed339fd1cf4e74d298943b8baa 100644 (file)
--- a/bin/tests/nsec3hash.c
+++ b/bin/tests/nsec3hash.c
@@ -14,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: nsec3hash.c,v 1.4 2008/09/26 01:31:19 marka Exp $ */
+/* $Id: nsec3hash.c,v 1.4.48.1 2009/10/06 21:20:18 each Exp $ */
 
 #include <config.h>
 
@@ -32,6 +32,7 @@
 
 #include <dns/fixedname.h>
 #include <dns/name.h>
+#include <dns/nsec3.h>
 #include <dns/types.h>
 
 const char *program = "nsec3hash";
@@ -67,7 +68,7 @@ main(int argc, char **argv) {
        isc_region_t region;
        isc_result_t result;
        unsigned char hash[NSEC3_MAX_HASH_LENGTH];
-       unsigned char salt[255];
+       unsigned char salt[DNS_NSEC3_SALTSIZE];
        unsigned char text[1024];
        unsigned int hash_alg;
        unsigned int length;
@@ -85,7 +86,7 @@ main(int argc, char **argv) {
                result = isc_hex_decodestring(argv[1], &buffer);
                check_result(result, "isc_hex_decodestring(salt)");
                salt_length = isc_buffer_usedlength(&buffer);
-               if (salt_length > 255U)
+               if (salt_length > DNS_NSEC3_SALTSIZE)
                        fatal("salt too long");
        }
        hash_alg = atoi(argv[2]);

diff --git a/lib/dns/include/dns/nsec3.h b/lib/dns/include/dns/nsec3.h
index 2d6a8dde8a72f738f20fecf80e65521f9452b46f..6243fdb10f2bd278759ebdb53cf4428eda5ea246 100644 (file)
--- a/lib/dns/include/dns/nsec3.h
+++ b/lib/dns/include/dns/nsec3.h
@@ -14,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: nsec3.h,v 1.5.48.2 2009/01/18 23:47:41 tbox Exp $ */
+/* $Id: nsec3.h,v 1.5.48.3 2009/10/06 21:20:18 each Exp $ */
 
 #ifndef DNS_NSEC3_H
 #define DNS_NSEC3_H 1
@@ -28,6 +28,8 @@
 #include <dns/rdatastruct.h>
 #include <dns/types.h>
 
+#define DNS_NSEC3_SALTSIZE 255
+
 /*
  * hash = 1, flags =1, iterations = 2, salt length = 1, salt = 255 (max)
  * hash length = 1, hash = 255 (max), bitmap = 8192 + 512 (max)

diff --git a/lib/dns/rbtdb.c b/lib/dns/rbtdb.c
index 815186ab22f2bce986ce921f4227e7019243223e..0b07ba8ac0794a76dadad55e221ce9fdd6582f7f 100644 (file)
--- a/lib/dns/rbtdb.c
+++ b/lib/dns/rbtdb.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: rbtdb.c,v 1.270.12.9 2009/10/03 23:47:29 tbox Exp $ */
+/* $Id: rbtdb.c,v 1.270.12.10 2009/10/06 21:20:18 each Exp $ */
 
 /*! \file */
 
@@ -383,7 +383,7 @@ typedef struct rbtdb_version {
        isc_uint8_t                     flags;
        isc_uint16_t                    iterations;
        isc_uint8_t                     salt_length;
-       unsigned char                   salt[NSEC3_MAX_HASH_LENGTH];
+       unsigned char                   salt[DNS_NSEC3_SALTSIZE];
 } rbtdb_version_t;
 
 typedef ISC_LIST(rbtdb_version_t)       rbtdb_versionlist_t;
@@ -2064,8 +2064,6 @@ setnsec3parameters(dns_db_t *db, rbtdb_version_t *version,
                                        continue;
 #endif
 
-                               INSIST(nsec3param.salt_length <=
-                                      sizeof(version->salt));
                                memcpy(version->salt, nsec3param.salt,
                                       nsec3param.salt_length);
                                version->hash = nsec3param.hash;
@@ -6635,8 +6633,8 @@ getnsec3parameters(dns_db_t *db, dns_dbversion_t *version, dns_hash_t *hash,
        if (rbtversion->havensec3) {
                if (hash != NULL)
                        *hash = rbtversion->hash;
-               if (salt != NULL && salt_length != 0) {
-                       REQUIRE(*salt_length > rbtversion->salt_length);
+               if (salt != NULL && salt_length != NULL) {
+                       REQUIRE(*salt_length >= rbtversion->salt_length);
                        memcpy(salt, rbtversion->salt, rbtversion->salt_length);
                }
                if (salt_length != NULL)