From 368c75a9f567f8b36cf24fefe45023e0a050e47b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ond=C5=99ej=20Sur=C3=BD?= Date: Sat, 14 Feb 2026 14:43:41 +0100 Subject: [PATCH] Invalid NSEC3 can cause OOB read of the isdelegation() stack When .next_length is longer than NSEC3_MAX_HASH_LENGTH, it causes a harmless out-of-bound read of the isdelegation() stack. This patch fixes the issue by skipping NSEC3 records with an oversized hash length during validation. (cherry picked from commit 67b4fb56e40bf856e1fccd41e752d5f486b5b569) --- lib/dns/rdata/generic/nsec3_50.c | 1 + lib/dns/validator.c | 3 +++ 2 files changed, 4 insertions(+) diff --git a/lib/dns/rdata/generic/nsec3_50.c b/lib/dns/rdata/generic/nsec3_50.c index f45fe4dc33..e04587bd1b 100644 --- a/lib/dns/rdata/generic/nsec3_50.c +++ b/lib/dns/rdata/generic/nsec3_50.c @@ -324,6 +324,7 @@ tostruct_nsec3(ARGS_TOSTRUCT) { } nsec3->mctx = mctx; + return ISC_R_SUCCESS; cleanup: diff --git a/lib/dns/validator.c b/lib/dns/validator.c index 809b7be911..9ec13581ab 100644 --- a/lib/dns/validator.c +++ b/lib/dns/validator.c @@ -339,6 +339,9 @@ trynsec3: if (nsec3.hash != 1) { continue; } + if (nsec3.next_length > NSEC3_MAX_HASH_LENGTH) { + continue; + } length = isc_iterated_hash( hash, nsec3.hash, nsec3.iterations, nsec3.salt, nsec3.salt_length, name->ndata, name->length);