From 232dac8cd596f91267c61c5743184c483e694b7a Mon Sep 17 00:00:00 2001 From: Evan Hunt Date: Wed, 8 Jan 2025 18:08:05 -0800 Subject: [PATCH] detect when closest-encloser name is too long there was a database bug in which dns_db_find() could get a partial match for the query name, but still set foundname to match the full query name. this triggered an assertion when query_addwildcardproof() assumed that foundname would be shorter. the database bug has been fixed, but in case it happens again, we can just copy the name instead of splitting it. we will also log a warning that the closest-encloser name was invalid. --- lib/ns/query.c | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/lib/ns/query.c b/lib/ns/query.c index cc57bcf684..8464e782d9 100644 --- a/lib/ns/query.c +++ b/lib/ns/query.c @@ -11167,7 +11167,15 @@ again: * Add no qname proof. */ labels = dns_name_countlabels(cname) + 1; - if (dns_name_countlabels(name) == labels) { + if (labels > maxlabels) { + char namebuf[DNS_NAME_FORMATSIZE]; + dns_name_format(cname, namebuf, sizeof(namebuf)); + ns_client_log(qctx->client, DNS_LOGCATEGORY_DNSSEC, + NS_LOGMODULE_QUERY, ISC_LOG_WARNING, + "closest-encloser name too long: %s", + namebuf); + dns_name_copy(name, wname); + } else if (labels == maxlabels) { dns_name_copy(name, wname); } else { dns_name_split(name, labels, NULL, wname);