From 76a3ca378cd6930e0c7664ebba63f2d18f205b7e Mon Sep 17 00:00:00 2001
From: Mukund Sivaraman <muks@isc.org>
Date: Mon, 16 Feb 2015 12:09:30 +0530
Subject: [PATCH] RPZ: Don't diff keys out of bounds, found via Valgrind
 (#38559)

(cherry picked from commit 73639a33faf05e5ac0308475af8ae8eae3518829)

Conflicts:
	CHANGES
	lib/dns/rpz.c
---
 CHANGES       | 5 +++++
 lib/dns/rpz.c | 5 +++--
 2 files changed, 8 insertions(+), 2 deletions(-)

diff --git a/CHANGES b/CHANGES
index 08e2570087..366921cf1c 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,8 @@
+4062.	[bug]		Fix an out-of-bounds read in RPZ code. If the
+			read succeeded, it doesn't result in a bug
+			during operation. If the read failed, named
+			could segfault. [RT #38559]
+
 	--- 9.9.7 released ---
 
 	--- 9.9.7rc2 released ---
diff --git a/lib/dns/rpz.c b/lib/dns/rpz.c
index 3dd80664c7..17a0ff41da 100644
--- a/lib/dns/rpz.c
+++ b/lib/dns/rpz.c
@@ -741,13 +741,14 @@ diff_keys(const dns_rpz_cidr_key_t *key1, dns_rpz_cidr_bits_t bits1,
 	dns_rpz_cidr_bits_t maxbit, bit;
 	int i;
 
+	bit = 0;
 	maxbit = ISC_MIN(bits1, bits2);
 
 	/*
 	 * find the first differing words
 	 */
-	for (i = 0, bit = 0;
-	     bit <= maxbit;
+	for (i = 0;
+	     bit < maxbit;
 	     i++, bit += DNS_RPZ_CIDR_WORD_BITS) {
 		delta = key1->w[i] ^ key2->w[i];
 		if (delta != 0) {