- Fix for VU#209659 CVE-2011-4528: Unbound denial of service

vulnerabilities from nonstandard redirection and denial of existence http://www.unbound.net/downloads/CVE-2011-4528.txt - robust checks for next-closer NSEC3s. - tag 1.4.14 created. git-svn-id: file:///svn/unbound/trunk@2574 be551aaa-1e26-0410-a405-d3ace91eadb9
2025-12-20 23:00:56 -05:00 · 2011-12-19 10:55:32 +00:00 · 2011-12-19 10:55:32 +00:00 · 0916e1d0ea
commit 0916e1d0ea
parent 65ad15da56
3 changed files with 22 additions and 2 deletions
--- a/doc/Changelog
+++ b/doc/Changelog
@ -1,3 +1,10 @@
+19 December 2011: Wouter
+	- Fix for VU#209659 CVE-2011-4528: Unbound denial of service
+	  vulnerabilities from nonstandard redirection and denial of existence
+	  http://www.unbound.net/downloads/CVE-2011-4528.txt
+	- robust checks for next-closer NSEC3s.
+	- tag 1.4.14 created.
+
 15 December 2011: Wouter
 	- remove uninit warning from cachedump code.
 	- Fix parse error on negative SOA RRSIGs if badly ordered in the packet.
--- a/iterator/iter_scrub.c
+++ b/iterator/iter_scrub.c
@ -187,11 +187,14 @@ parse_get_cname_target(struct rrset_parse* rrset, uint8_t** sname,
 	size_t* snamelen)
 {
 	if(rrset->rr_count != 1) {
+		struct rr_parse* sig;
 		verbose(VERB_ALGO, "Found CNAME rrset with "
 			"size > 1: %u", (unsigned)rrset->rr_count);
 		/* use the first CNAME! */
 		rrset->rr_count = 1;
 		rrset->size = rrset->rr_first->size;
+		for(sig=rrset->rrsig_first; sig; sig=sig->next)
+			rrset->size += sig->size;
 		rrset->rr_last = rrset->rr_first;
 		rrset->rr_first->next = NULL;
 	}
--- a/validator/val_nsec3.c
+++ b/validator/val_nsec3.c
@ -1196,8 +1196,7 @@ nsec3_do_prove_nodata(struct module_env* env, struct nsec3_filter* flt,
 			return sec_status_bogus;
 		}
 		/* everything is peachy keen, except for optout spans */
-		log_assert(ce.nc_rrset);
-		if(nsec3_has_optout(ce.nc_rrset, ce.nc_rr)) {
+		if(ce.nc_rrset && nsec3_has_optout(ce.nc_rrset, ce.nc_rr)) {
 			verbose(VERB_ALGO, "nsec3 nodata proof: matching "
 				"wildcard is in optout range, insecure");
 			return sec_status_insecure;
@ -1209,6 +1208,10 @@ nsec3_do_prove_nodata(struct module_env* env, struct nsec3_filter* flt,
 	/* Due to forwarders, cnames, and other collating effects, we
 	 * can see the ordinary unsigned data from a zone beneath an
 	 * insecure delegation under an optout here */
+	if(!ce.nc_rrset) {
+		verbose(VERB_ALGO, "nsec3 nodata proof: no next closer nsec3");
+		return sec_status_bogus;
+	}

 	/* We need to make sure that the covering NSEC3 is opt-out. */
 	log_assert(ce.nc_rrset);
@ -1383,6 +1386,13 @@ nsec3_prove_nods(struct module_env* env, struct val_env* ve,
 		return sec_status_bogus;
 	}

+	/* robust extra check */
+	if(!ce.nc_rrset) {
+		verbose(VERB_ALGO, "nsec3 nods proof: no next closer nsec3");
+		*reason = "no NSEC3 next closer";
+		return sec_status_bogus;
+	}
+
 	/* we had the closest encloser proof, then we need to check that the
 	 * covering NSEC3 was opt-out -- the proveClosestEncloser step already
 	 * checked to see if the closest encloser was a delegation or DNAME.