upstream/bind9
1
0
Fork 0
mirror of https://github.com/isc-projects/bind9.git synced 2026-05-28 04:34:54 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions 4

Invalid NSEC3 can cause OOB read of the isdelegation() stack

Browse source 
When .next_length is longer than NSEC3_MAX_HASH_LENGTH, it causes a
harmless out-of-bound read of the isdelegation() stack.  This patch
fixes the issue by skipping NSEC3 records with an oversized hash length
during validation.

(cherry picked from commit 67b4fb56e4)
This commit is contained in:
Ondřej Surý 2026-02-14 14:43:41 +01:00
parent 8931f82dc8
commit e0d05145e1
2 changed files with 4 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

1
lib/dns/rdata/generic/nsec3_50.c
View file

@ -313,6 +313,7 @@ tostruct_nsec3(ARGS_TOSTRUCT) {
nsec3->len = region.length;
nsec3->typebits = mem_maybedup(mctx, region.base, region.length);
nsec3->mctx = mctx;
return ISC_R_SUCCESS;
}

3
lib/dns/validator.c
View file

@ -340,6 +340,9 @@ trynsec3:
if (nsec3.hash != 1) {
continue;
}
if (nsec3.next_length > NSEC3_MAX_HASH_LENGTH) {
continue;
}
length = isc_iterated_hash(
hash, nsec3.hash, nsec3.iterations, nsec3.salt,
nsec3.salt_length, name->ndata, name->length);