nsupdate: reject attempts to add NSEC3PARAM with excessive iterations

author Mark Andrews <marka@isc.org>

Thu, 29 Apr 2021 14:23:48 +0000 (16:23 +0200)

committer Mark Andrews <marka@isc.org>

Fri, 30 Apr 2021 00:49:00 +0000 (10:49 +1000)
author Mark Andrews <marka@isc.org>
Thu, 29 Apr 2021 14:23:48 +0000 (16:23 +0200)
committer Mark Andrews <marka@isc.org>
Fri, 30 Apr 2021 00:49:00 +0000 (10:49 +1000)
diff --git a/bin/nsupdate/nsupdate.c b/bin/nsupdate/nsupdate.c

index 2920a65d213218baf6042456e2d7ff2610bd959b..01ec51b5b90ccd17c0cb021ce44640f8f610a696 100644 (file)
--- a/bin/nsupdate/nsupdate.c
+++ b/bin/nsupdate/nsupdate.c
@@ -59,6 +59,7 @@
  #include <dns/masterdump.h>
  #include <dns/message.h>
  #include <dns/name.h>
+#include <dns/nsec3.h>
  #include <dns/rcode.h>
  #include <dns/rdata.h>
  #include <dns/rdataclass.h>
@@ -1993,6 +1994,19 @@ update_addordelete(char *cmdline, bool isdelete) {
                 }
         }
  
+       if (!isdelete && rdata->type == dns_rdatatype_nsec3param) {
+               dns_rdata_nsec3param_t nsec3param;
+
+               result = dns_rdata_tostruct(rdata, &nsec3param, NULL);
+               check_result(result, "dns_rdata_tostruct");
+               if (nsec3param.iterations > dns_nsec3_maxiterations()) {
+                       fprintf(stderr,
+                               "NSEC3PARAM has excessive iterations (> %u)\n",
+                               dns_nsec3_maxiterations());
+                       goto failure;
+               }
+       }
+
   doneparsing:
  
         result = dns_message_gettemprdatalist(updatemsg, &rdatalist);
diff --git a/bin/tests/system/nsupdate/tests.sh b/bin/tests/system/nsupdate/tests.sh

index 6b2c8f6b9fea4fb5939eb896c7696b62ef52ad16..51fc52e03dd2fed0bfd31c126778f30e39d19466 100755 (executable)
--- a/bin/tests/system/nsupdate/tests.sh
+++ b/bin/tests/system/nsupdate/tests.sh
@@ -1035,6 +1035,17 @@ grep "UPDATE, status: NOERROR" nsupdate.out-$n > /dev/null 2>&1 || ret=1
  grep "UPDATE, status: FORMERR" nsupdate.out-$n > /dev/null 2>&1 || ret=1
  [ $ret = 0 ] || { echo_i "failed"; status=1; }
  
+n=`expr $n + 1`
+ret=0
+echo_i "check that excessive NSEC3PARAM iterations are rejected by nsupdate ($n)"
+$NSUPDATE -d <<END > nsupdate.out-$n 2>&1 && ret=1
+server 10.53.0.3 ${PORT}
+zone example
+update add example 0 in NSEC3PARAM 1 0 151 -
+END
+grep "NSEC3PARAM has excessive iterations (> 150)" nsupdate.out-$n || ret=1
+[ $ret = 0 ] || { echo_i "failed"; status=1; }
+
  if $FEATURETEST --gssapi ; then
    n=`expr $n + 1`
    ret=0
author	Mark Andrews <marka@isc.org>
	Thu, 29 Apr 2021 14:23:48 +0000 (16:23 +0200)
committer	Mark Andrews <marka@isc.org>
	Fri, 30 Apr 2021 00:49:00 +0000 (10:49 +1000)
bin/nsupdate/nsupdate.c		patch \| blob \| blame \| history
bin/tests/system/nsupdate/tests.sh		patch \| blob \| blame \| history