From 463f4ad70bed35fdc48d5afd312f1e098af34a29 Mon Sep 17 00:00:00 2001
From: Mark Andrews <marka@isc.org>
Date: Mon, 10 Dec 2012 08:22:01 +1100
Subject: [PATCH] silence clang --analyzer warnin by checking rdata.length

---
 lib/dns/nsec3.c | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/lib/dns/nsec3.c b/lib/dns/nsec3.c
index 4975bf318a..b63e11787f 100644
--- a/lib/dns/nsec3.c
+++ b/lib/dns/nsec3.c
@@ -1098,7 +1098,12 @@ dns_nsec3param_deletechains(dns_db_t *db, dns_dbversion_t *ver,
 		INSIST(rdata.length <= sizeof(buf));
 		memcpy(buf, rdata.data, rdata.length);
 
-		if (buf[0] != 0 || (buf[2] & DNS_NSEC3FLAG_REMOVE) != 0 ||
+		/*
+		 * Private NSEC3 record length >= 6.
+		 * <0(1), hash(1), flags(1), iterations(2), saltlen(1)>
+		 */
+		if (rdata.length < 6 || buf[0] != 0 ||
+		    (buf[2] & DNS_NSEC3FLAG_REMOVE) != 0 ||
 		    (nonsec && (buf[2] & DNS_NSEC3FLAG_NONSEC) != 0))
 			continue;