From e0d05145e1e36ff4fdf7615f762f58f8000f44e7 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ond=C5=99ej=20Sur=C3=BD?= Date: Sat, 14 Feb 2026 14:43:41 +0100 Subject: [PATCH] Invalid NSEC3 can cause OOB read of the isdelegation() stack When .next_length is longer than NSEC3_MAX_HASH_LENGTH, it causes a harmless out-of-bound read of the isdelegation() stack. This patch fixes the issue by skipping NSEC3 records with an oversized hash length during validation. (cherry picked from commit 67b4fb56e40bf856e1fccd41e752d5f486b5b569) --- lib/dns/rdata/generic/nsec3_50.c | 1 + lib/dns/validator.c | 3 +++ 2 files changed, 4 insertions(+) diff --git a/lib/dns/rdata/generic/nsec3_50.c b/lib/dns/rdata/generic/nsec3_50.c index 600a90f9bd..9f4d4e5a99 100644 --- a/lib/dns/rdata/generic/nsec3_50.c +++ b/lib/dns/rdata/generic/nsec3_50.c @@ -313,6 +313,7 @@ tostruct_nsec3(ARGS_TOSTRUCT) { nsec3->len = region.length; nsec3->typebits = mem_maybedup(mctx, region.base, region.length); nsec3->mctx = mctx; + return ISC_R_SUCCESS; } diff --git a/lib/dns/validator.c b/lib/dns/validator.c index 0cd2cfb6c2..4ab4ee407e 100644 --- a/lib/dns/validator.c +++ b/lib/dns/validator.c @@ -340,6 +340,9 @@ trynsec3: if (nsec3.hash != 1) { continue; } + if (nsec3.next_length > NSEC3_MAX_HASH_LENGTH) { + continue; + } length = isc_iterated_hash( hash, nsec3.hash, nsec3.iterations, nsec3.salt, nsec3.salt_length, name->ndata, name->length);