upstream/bind9
1
0
Fork 0
mirror of https://github.com/isc-projects/bind9.git synced 2026-05-22 10:10:14 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions 4

Invalid NSEC3 can cause OOB read of the isdelegation() stack

Browse source 
When .next_length is longer than NSEC3_MAX_HASH_LENGTH, it causes a
harmless out-of-bound read of the isdelegation() stack.  This patch
fixes the issue by skipping NSEC3 records with an oversized hash length
during validation.
This commit is contained in:
Ondřej Surý 2026-02-14 14:43:41 +01:00 committed by Ondřej Surý
parent d4ec8ebee8
commit 67b4fb56e4
No known key found for this signature in database
GPG key ID: 2820F37E873DEA41
2 changed files with 4 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

1
lib/dns/rdata/generic/nsec3_50.c
View file

@ -313,6 +313,7 @@ tostruct_nsec3(ARGS_TOSTRUCT) {
nsec3->len = region.length;
nsec3->typebits = mem_maybedup(mctx, region.base, region.length);
nsec3->mctx = mctx;
return ISC_R_SUCCESS;
}

3
lib/dns/validator.c
View file

@ -322,6 +322,9 @@ trynsec3:
if (nsec3.hash != 1) {
continue;
}
if (nsec3.next_length > NSEC3_MAX_HASH_LENGTH) {
continue;
}
length = isc_iterated_hash(
hash, nsec3.hash, nsec3.iterations, nsec3.salt,
nsec3.salt_length, name->ndata, name->length);