diff --git a/bin/dnssec/dnssec-ksr.c b/bin/dnssec/dnssec-ksr.c index 9664653d0b..f76b07c334 100644 --- a/bin/dnssec/dnssec-ksr.c +++ b/bin/dnssec/dnssec-ksr.c @@ -1170,7 +1170,6 @@ sign(ksr_ctx_t *ksr) { } if (strcmp(STR(token), ";;") == 0) { - char bundle[KSR_LINESIZE]; isc_stdtime_t next_inception; CHECK(isc_lex_gettoken(lex, opt, &token)); @@ -1204,9 +1203,8 @@ sign(ksr_ctx_t *ksr) { } /* Date and time of bundle */ - sscanf(STR(token), "%s", bundle); - next_inception = strtotime(bundle, ksr->now, ksr->now, - NULL); + next_inception = strtotime(STR(token), ksr->now, + ksr->now, NULL); if (have_bundle) { /* Sign previous bundle */ diff --git a/bin/tests/system/ksr/ns1/named.conf.j2 b/bin/tests/system/ksr/ns1/named.conf.j2 index 7283069321..baeebbf81f 100644 --- a/bin/tests/system/ksr/ns1/named.conf.j2 +++ b/bin/tests/system/ksr/ns1/named.conf.j2 @@ -93,3 +93,17 @@ dnssec-policy "ksk-roll" { zsk lifetime unlimited algorithm @DEFAULT_ALGORITHM@; }; }; + +dnssec-policy "invalid-skr" { + offline-ksk yes; + keys { + ksk lifetime unlimited algorithm @DEFAULT_ALGORITHM@; + zsk lifetime unlimited algorithm @DEFAULT_ALGORITHM@; + }; +}; + +zone "invalid-skr.test" { + type primary; + file "invalid-skr.test.db"; + dnssec-policy "invalid-skr"; +}; diff --git a/bin/tests/system/ksr/ns1/setup.sh b/bin/tests/system/ksr/ns1/setup.sh index 2179ab251d..e8c932b392 100644 --- a/bin/tests/system/ksr/ns1/setup.sh +++ b/bin/tests/system/ksr/ns1/setup.sh @@ -27,3 +27,4 @@ cp template.db.in in-the-middle.test.db cp template.db.in unlimited.test.db cp template.db.in two-tone.test.db cp template.db.in ksk-roll.test.db +cp template.db.in invalid-skr.test.db diff --git a/bin/tests/system/ksr/tests_ksr.py b/bin/tests/system/ksr/tests_ksr.py index e3fbf6dfa2..3e0925bfab 100644 --- a/bin/tests/system/ksr/tests_ksr.py +++ b/bin/tests/system/ksr/tests_ksr.py @@ -34,6 +34,7 @@ pytestmark = pytest.mark.extra_artifacts( "past.test.*", "two-tone.test.*", "unlimited.test.*", + "invalid-skr.test.*", "ns1/K*", "ns1/_default.nzd", "ns1/_default.nzf", @@ -77,6 +78,11 @@ pytestmark = pytest.mark.extra_artifacts( "ns1/unlimited.test.db.signed", "ns1/unlimited.test.db.signed.jnl", "ns1/unlimited.test.unlimited.skr.1", + "ns1/invalid-skr.test.db", + "ns1/invalid-skr.test.db.jbk", + "ns1/invalid-skr.test.db.signed", + "ns1/invalid-skr.test.db.signed.jnl", + "ns1/invalid-skr.test.skr.1", ] ) @@ -1298,3 +1304,21 @@ def test_ksr_kskroll(ns1): isctest.kasp.check_apex(ns1, zone, ksks, zsks, offline_ksk=True) # - check subdomain isctest.kasp.check_subdomain(ns1, zone, ksks, zsks, offline_ksk=True) + + +def test_ksr_oversize(ns1): + zone = "invalid-skr.test" + n = 1 + + skr_fname = f"{zone}.skr.{n}" + token_len = 5000 + with open(skr_fname, "w", encoding="utf-8") as skr: + huge_token = "A" * token_len + skr.write(f";; SignedKeyResponse 1.0 {huge_token}\n") + + # - try importing invalid SKR file + shutil.copyfile(skr_fname, f"ns1/{skr_fname}") + ns1.rndc(f"skr -import {skr_fname} {zone}") + + # - check if named is still running + ns1.rndc("status") diff --git a/lib/dns/skr.c b/lib/dns/skr.c index 7eec1f4531..a54b843fc2 100644 --- a/lib/dns/skr.c +++ b/lib/dns/skr.c @@ -215,7 +215,6 @@ dns_skr_read(isc_mem_t *mctx, const char *filename, dns_name_t *origin, dns_rdataclass_t rdclass, dns_ttl_t dnskeyttl, dns_skr_t **skrp) { isc_result_t result; dns_skrbundle_t *bundle = NULL; - char bundlebuf[1024]; uint32_t bundle_id; isc_lex_t *lex = NULL; isc_lexspecials_t specials; @@ -287,8 +286,7 @@ dns_skr_read(isc_mem_t *mctx, const char *filename, dns_name_t *origin, } /* Create new bundle */ - sscanf(STR(token), "%s", bundlebuf); - CHECK(dns_time32_fromtext(bundlebuf, &bundle_id)); + CHECK(dns_time32_fromtext(STR(token), &bundle_id)); bundle = NULL; skrbundle_create(mctx, (isc_stdtime_t)bundle_id, &bundle);