Attempting to delete a SIG set with dynamic update crashed the server.

diff --git a/lib/dns/message.c b/lib/dns/message.c
index 40dc1b5d9190ebc99f7f0736b292d611aa0189dd..85d37edbdb65510c6b09a5cd414fdba44ca81121 100644 (file)
--- a/lib/dns/message.c
+++ b/lib/dns/message.c
@@ -1178,7 +1178,9 @@ getsection(isc_buffer_t *source, dns_message_t *msg, dns_decompress_t *dctx,
                                attributes = DNS_NAMEATTR_CNAME;
                        else if (covers == dns_rdatatype_dname)
                                attributes = DNS_NAMEATTR_DNAME;
-                       else if (covers == 0) {
+                       else if (covers == 0 &&
+                                sectionid == DNS_SECTION_ADDITIONAL)
+                       {
                                if (msg->sig0 != NULL) {
                                        result = DNS_R_FORMERR;
                                        goto cleanup;
@@ -1198,7 +1200,8 @@ getsection(isc_buffer_t *source, dns_message_t *msg, dns_decompress_t *dctx,
                    skip_name_search) {
                        if (rdtype != dns_rdatatype_opt &&
                            rdtype != dns_rdatatype_tsig &&
-                           !(rdtype == dns_rdatatype_sig && covers == 0))
+                           !(rdtype == dns_rdatatype_sig && covers == 0 &&
+                             sectionid == DNS_SECTION_ADDITIONAL))
                        {
                                ISC_LIST_APPEND(*section, name, link);
                                free_name = ISC_FALSE;
@@ -1337,7 +1340,9 @@ getsection(isc_buffer_t *source, dns_message_t *msg, dns_decompress_t *dctx,
                /*
                 * If this is an SIG(0) or TSIG record, remember it.
                 */
-               if (rdtype == dns_rdatatype_sig && covers == 0) {
+               if (rdtype == dns_rdatatype_sig && covers == 0 &&
+                   sectionid == DNS_SECTION_ADDITIONAL)
+               {
                        msg->sig0 = rdataset;
                        rdataset = NULL;
                        free_rdataset = ISC_FALSE;
@@ -2316,6 +2321,8 @@ dns_message_checksig(dns_message_t *msg, dns_view_t *view) {
                INSIST(result == ISC_R_SUCCESS);
                dns_rdataset_current(msg->sig0, &rdata);
 
+               if (rdata.length == 0)
+                       return (ISC_R_UNEXPECTEDEND);
                result = dns_rdata_tostruct(&rdata, &sig, msg->mctx);
                if (result != ISC_R_SUCCESS)
                        return (result);