From a9775fe88db0abd7ec8bbda4b7552eafbb54af77 Mon Sep 17 00:00:00 2001 From: Evan Hunt Date: Tue, 6 Oct 2009 21:20:18 +0000 Subject: [PATCH] 2706. [bug] Loading a zone with a very large NSEC3 salt could trigger an assert. [RT #20368] --- CHANGES | 3 +++ bin/tests/nsec3hash.c | 7 ++++--- lib/dns/include/dns/nsec3.h | 4 +++- lib/dns/rbtdb.c | 10 ++++------ 4 files changed, 14 insertions(+), 10 deletions(-) diff --git a/CHANGES b/CHANGES index 6867eb9b543..f0825391eaa 100644 --- a/CHANGES +++ b/CHANGES @@ -1,3 +1,6 @@ +2706. [bug] Loading a zone with a very large NSEC3 salt could + trigger an assert. [RT #20368] + 2705. [bug] Reconcile the XML stats version number with a later BIND9 release, by adding a "name" attribute to "cache" elements and increasing the version number diff --git a/bin/tests/nsec3hash.c b/bin/tests/nsec3hash.c index 4a4a782e299..91c78b8fee1 100644 --- a/bin/tests/nsec3hash.c +++ b/bin/tests/nsec3hash.c @@ -14,7 +14,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: nsec3hash.c,v 1.4 2008/09/26 01:31:19 marka Exp $ */ +/* $Id: nsec3hash.c,v 1.4.48.1 2009/10/06 21:20:18 each Exp $ */ #include @@ -32,6 +32,7 @@ #include #include +#include #include const char *program = "nsec3hash"; @@ -67,7 +68,7 @@ main(int argc, char **argv) { isc_region_t region; isc_result_t result; unsigned char hash[NSEC3_MAX_HASH_LENGTH]; - unsigned char salt[255]; + unsigned char salt[DNS_NSEC3_SALTSIZE]; unsigned char text[1024]; unsigned int hash_alg; unsigned int length; @@ -85,7 +86,7 @@ main(int argc, char **argv) { result = isc_hex_decodestring(argv[1], &buffer); check_result(result, "isc_hex_decodestring(salt)"); salt_length = isc_buffer_usedlength(&buffer); - if (salt_length > 255U) + if (salt_length > DNS_NSEC3_SALTSIZE) fatal("salt too long"); } hash_alg = atoi(argv[2]); diff --git a/lib/dns/include/dns/nsec3.h b/lib/dns/include/dns/nsec3.h index 2d6a8dde8a7..6243fdb10f2 100644 --- a/lib/dns/include/dns/nsec3.h +++ b/lib/dns/include/dns/nsec3.h @@ -14,7 +14,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: nsec3.h,v 1.5.48.2 2009/01/18 23:47:41 tbox Exp $ */ +/* $Id: nsec3.h,v 1.5.48.3 2009/10/06 21:20:18 each Exp $ */ #ifndef DNS_NSEC3_H #define DNS_NSEC3_H 1 @@ -28,6 +28,8 @@ #include #include +#define DNS_NSEC3_SALTSIZE 255 + /* * hash = 1, flags =1, iterations = 2, salt length = 1, salt = 255 (max) * hash length = 1, hash = 255 (max), bitmap = 8192 + 512 (max) diff --git a/lib/dns/rbtdb.c b/lib/dns/rbtdb.c index 815186ab22f..0b07ba8ac07 100644 --- a/lib/dns/rbtdb.c +++ b/lib/dns/rbtdb.c @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: rbtdb.c,v 1.270.12.9 2009/10/03 23:47:29 tbox Exp $ */ +/* $Id: rbtdb.c,v 1.270.12.10 2009/10/06 21:20:18 each Exp $ */ /*! \file */ @@ -383,7 +383,7 @@ typedef struct rbtdb_version { isc_uint8_t flags; isc_uint16_t iterations; isc_uint8_t salt_length; - unsigned char salt[NSEC3_MAX_HASH_LENGTH]; + unsigned char salt[DNS_NSEC3_SALTSIZE]; } rbtdb_version_t; typedef ISC_LIST(rbtdb_version_t) rbtdb_versionlist_t; @@ -2064,8 +2064,6 @@ setnsec3parameters(dns_db_t *db, rbtdb_version_t *version, continue; #endif - INSIST(nsec3param.salt_length <= - sizeof(version->salt)); memcpy(version->salt, nsec3param.salt, nsec3param.salt_length); version->hash = nsec3param.hash; @@ -6635,8 +6633,8 @@ getnsec3parameters(dns_db_t *db, dns_dbversion_t *version, dns_hash_t *hash, if (rbtversion->havensec3) { if (hash != NULL) *hash = rbtversion->hash; - if (salt != NULL && salt_length != 0) { - REQUIRE(*salt_length > rbtversion->salt_length); + if (salt != NULL && salt_length != NULL) { + REQUIRE(*salt_length >= rbtversion->salt_length); memcpy(salt, rbtversion->salt, rbtversion->salt_length); } if (salt_length != NULL) -- 2.47.3