From: Mark Andrews Date: Fri, 23 Apr 2021 00:03:53 +0000 (+1000) Subject: nsupdate: reject attempts to add NSEC3PARAM with excessive iterations X-Git-Tag: v9.17.13~36^2~5 X-Git-Url: http://git.ipfire.org/gitweb/index.cgi?a=commitdiff_plain;h=3fe75d9809902be38e49a409be3e688d78a2db2b;p=thirdparty%2Fbind9.git nsupdate: reject attempts to add NSEC3PARAM with excessive iterations --- diff --git a/bin/nsupdate/nsupdate.c b/bin/nsupdate/nsupdate.c index 3b505b96947..4965a274f5c 100644 --- a/bin/nsupdate/nsupdate.c +++ b/bin/nsupdate/nsupdate.c @@ -57,6 +57,7 @@ #include #include #include +#include #include #include #include @@ -1968,6 +1969,19 @@ parseclass: } } + if (!isdelete && rdata->type == dns_rdatatype_nsec3param) { + dns_rdata_nsec3param_t nsec3param; + + result = dns_rdata_tostruct(rdata, &nsec3param, NULL); + check_result(result, "dns_rdata_tostruct"); + if (nsec3param.iterations > dns_nsec3_maxiterations()) { + fprintf(stderr, + "NSEC3PARAM has excessive iterations (> %u)\n", + dns_nsec3_maxiterations()); + goto failure; + } + } + doneparsing: result = dns_message_gettemprdatalist(updatemsg, &rdatalist); diff --git a/bin/tests/system/nsupdate/tests.sh b/bin/tests/system/nsupdate/tests.sh index 1bbb804584a..7a421f1c8be 100755 --- a/bin/tests/system/nsupdate/tests.sh +++ b/bin/tests/system/nsupdate/tests.sh @@ -1190,6 +1190,8 @@ then echo_i "failed"; status=1 fi +n=`expr $n + 1` +ret=0 echo_i "check that DS to the zone apex is ignored ($n)" $DIG $DIGOPTS +tcp +norec example DS @10.53.0.3 > dig.out.pre.test$n || ret=1 grep "status: NOERROR" dig.out.pre.test$n > /dev/null || ret=1 @@ -1209,7 +1211,20 @@ grep "status: NOERROR" dig.out.post.test$n > /dev/null || ret=1 grep "ANSWER: 0," dig.out.post.test$n > /dev/null || ret=1 [ $ret = 0 ] || { echo_i "failed"; status=1; } -if $FEATURETEST --gssapi ; then +n=`expr $n + 1` +ret=0 +echo_i "check that excessive NSEC3PARAM iterations are rejected by nsupdate ($n)" +$NSUPDATE -d < nsupdate.out-$n 2>&1 && ret=1 +server 10.53.0.3 ${PORT} +zone example +update add example 0 in NSEC3PARAM 1 0 151 - +END +grep "NSEC3PARAM has excessive iterations (> 150)" nsupdate.out-$n || ret=1 +[ $ret = 0 ] || { echo_i "failed"; status=1; } + +if ! $FEATURETEST --gssapi ; then + echo_i "SKIPPED: GSSAPI tests" +else n=`expr $n + 1` ret=0 echo_i "check krb5-self match ($n)"