From 67b4fb56e40bf856e1fccd41e752d5f486b5b569 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ond=C5=99ej=20Sur=C3=BD?= Date: Sat, 14 Feb 2026 14:43:41 +0100 Subject: [PATCH] Invalid NSEC3 can cause OOB read of the isdelegation() stack When .next_length is longer than NSEC3_MAX_HASH_LENGTH, it causes a harmless out-of-bound read of the isdelegation() stack. This patch fixes the issue by skipping NSEC3 records with an oversized hash length during validation. --- lib/dns/rdata/generic/nsec3_50.c | 1 + lib/dns/validator.c | 3 +++ 2 files changed, 4 insertions(+) diff --git a/lib/dns/rdata/generic/nsec3_50.c b/lib/dns/rdata/generic/nsec3_50.c index 600a90f9bd..9f4d4e5a99 100644 --- a/lib/dns/rdata/generic/nsec3_50.c +++ b/lib/dns/rdata/generic/nsec3_50.c @@ -313,6 +313,7 @@ tostruct_nsec3(ARGS_TOSTRUCT) { nsec3->len = region.length; nsec3->typebits = mem_maybedup(mctx, region.base, region.length); nsec3->mctx = mctx; + return ISC_R_SUCCESS; } diff --git a/lib/dns/validator.c b/lib/dns/validator.c index ed2931b744..de0765b8c2 100644 --- a/lib/dns/validator.c +++ b/lib/dns/validator.c @@ -322,6 +322,9 @@ trynsec3: if (nsec3.hash != 1) { continue; } + if (nsec3.next_length > NSEC3_MAX_HASH_LENGTH) { + continue; + } length = isc_iterated_hash( hash, nsec3.hash, nsec3.iterations, nsec3.salt, nsec3.salt_length, name->ndata, name->length);