From 8ab4827a0c35128a88212237395f388c17e9ff26 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Ond=C5=99ej=20Sur=C3=BD?= <ondrej@isc.org>
Date: Sun, 22 Feb 2026 06:37:33 +0100
Subject: [PATCH 1/2] Importing invalid SKR file might overflow the stack
 buffer

If an invalid SKR file is imported, reading the time from the token
buffer might overflow the buffer on the local stack.  This has been
fixed by removing the intermediate buffer and parsing the lexer token
directly.
---
 bin/dnssec/dnssec-ksr.c | 6 ++----
 lib/dns/skr.c           | 4 +---
 2 files changed, 3 insertions(+), 7 deletions(-)

diff --git a/bin/dnssec/dnssec-ksr.c b/bin/dnssec/dnssec-ksr.c
index 9664653d0b..f76b07c334 100644
--- a/bin/dnssec/dnssec-ksr.c
+++ b/bin/dnssec/dnssec-ksr.c
@@ -1170,7 +1170,6 @@ sign(ksr_ctx_t *ksr) {
 		}
 
 		if (strcmp(STR(token), ";;") == 0) {
-			char bundle[KSR_LINESIZE];
 			isc_stdtime_t next_inception;
 
 			CHECK(isc_lex_gettoken(lex, opt, &token));
@@ -1204,9 +1203,8 @@ sign(ksr_ctx_t *ksr) {
 			}
 
 			/* Date and time of bundle */
-			sscanf(STR(token), "%s", bundle);
-			next_inception = strtotime(bundle, ksr->now, ksr->now,
-						   NULL);
+			next_inception = strtotime(STR(token), ksr->now,
+						   ksr->now, NULL);
 
 			if (have_bundle) {
 				/* Sign previous bundle */
diff --git a/lib/dns/skr.c b/lib/dns/skr.c
index 7eec1f4531..a54b843fc2 100644
--- a/lib/dns/skr.c
+++ b/lib/dns/skr.c
@@ -215,7 +215,6 @@ dns_skr_read(isc_mem_t *mctx, const char *filename, dns_name_t *origin,
 	     dns_rdataclass_t rdclass, dns_ttl_t dnskeyttl, dns_skr_t **skrp) {
 	isc_result_t result;
 	dns_skrbundle_t *bundle = NULL;
-	char bundlebuf[1024];
 	uint32_t bundle_id;
 	isc_lex_t *lex = NULL;
 	isc_lexspecials_t specials;
@@ -287,8 +286,7 @@ dns_skr_read(isc_mem_t *mctx, const char *filename, dns_name_t *origin,
 			}
 
 			/* Create new bundle */
-			sscanf(STR(token), "%s", bundlebuf);
-			CHECK(dns_time32_fromtext(bundlebuf, &bundle_id));
+			CHECK(dns_time32_fromtext(STR(token), &bundle_id));
 			bundle = NULL;
 			skrbundle_create(mctx, (isc_stdtime_t)bundle_id,
 					 &bundle);

From a82773ea891c54a2cd703b9d5b3d01fdf33912d4 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Ond=C5=99ej=20Sur=C3=BD?= <ondrej@isc.org>
Date: Sun, 22 Feb 2026 07:27:07 +0100
Subject: [PATCH 2/2] Add system tests that imports invalid SKR file

Try to import invalid SKR file and observe whether the named is still
alive.  This test only triggers under ASAN.
---
 bin/tests/system/ksr/ns1/named.conf.j2 | 14 ++++++++++++++
 bin/tests/system/ksr/ns1/setup.sh      |  1 +
 bin/tests/system/ksr/tests_ksr.py      | 24 ++++++++++++++++++++++++
 3 files changed, 39 insertions(+)

diff --git a/bin/tests/system/ksr/ns1/named.conf.j2 b/bin/tests/system/ksr/ns1/named.conf.j2
index 7283069321..baeebbf81f 100644
--- a/bin/tests/system/ksr/ns1/named.conf.j2
+++ b/bin/tests/system/ksr/ns1/named.conf.j2
@@ -93,3 +93,17 @@ dnssec-policy "ksk-roll" {
 		zsk lifetime unlimited algorithm @DEFAULT_ALGORITHM@;
 	};
 };
+
+dnssec-policy "invalid-skr" {
+	offline-ksk yes;
+	keys {
+		ksk lifetime unlimited algorithm @DEFAULT_ALGORITHM@;
+		zsk lifetime unlimited algorithm @DEFAULT_ALGORITHM@;
+	};
+};
+
+zone "invalid-skr.test" {
+	type primary;
+	file "invalid-skr.test.db";
+	dnssec-policy "invalid-skr";
+};
diff --git a/bin/tests/system/ksr/ns1/setup.sh b/bin/tests/system/ksr/ns1/setup.sh
index 2179ab251d..e8c932b392 100644
--- a/bin/tests/system/ksr/ns1/setup.sh
+++ b/bin/tests/system/ksr/ns1/setup.sh
@@ -27,3 +27,4 @@ cp template.db.in in-the-middle.test.db
 cp template.db.in unlimited.test.db
 cp template.db.in two-tone.test.db
 cp template.db.in ksk-roll.test.db
+cp template.db.in invalid-skr.test.db
diff --git a/bin/tests/system/ksr/tests_ksr.py b/bin/tests/system/ksr/tests_ksr.py
index e3fbf6dfa2..3e0925bfab 100644
--- a/bin/tests/system/ksr/tests_ksr.py
+++ b/bin/tests/system/ksr/tests_ksr.py
@@ -34,6 +34,7 @@ pytestmark = pytest.mark.extra_artifacts(
         "past.test.*",
         "two-tone.test.*",
         "unlimited.test.*",
+        "invalid-skr.test.*",
         "ns1/K*",
         "ns1/_default.nzd",
         "ns1/_default.nzf",
@@ -77,6 +78,11 @@ pytestmark = pytest.mark.extra_artifacts(
         "ns1/unlimited.test.db.signed",
         "ns1/unlimited.test.db.signed.jnl",
         "ns1/unlimited.test.unlimited.skr.1",
+        "ns1/invalid-skr.test.db",
+        "ns1/invalid-skr.test.db.jbk",
+        "ns1/invalid-skr.test.db.signed",
+        "ns1/invalid-skr.test.db.signed.jnl",
+        "ns1/invalid-skr.test.skr.1",
     ]
 )
 
@@ -1298,3 +1304,21 @@ def test_ksr_kskroll(ns1):
     isctest.kasp.check_apex(ns1, zone, ksks, zsks, offline_ksk=True)
     # - check subdomain
     isctest.kasp.check_subdomain(ns1, zone, ksks, zsks, offline_ksk=True)
+
+
+def test_ksr_oversize(ns1):
+    zone = "invalid-skr.test"
+    n = 1
+
+    skr_fname = f"{zone}.skr.{n}"
+    token_len = 5000
+    with open(skr_fname, "w", encoding="utf-8") as skr:
+        huge_token = "A" * token_len
+        skr.write(f";; SignedKeyResponse 1.0 {huge_token}\n")
+
+    # - try importing invalid SKR file
+    shutil.copyfile(skr_fname, f"ns1/{skr_fname}")
+    ns1.rndc(f"skr -import {skr_fname} {zone}")
+
+    # - check if named is still running
+    ns1.rndc("status")