upstream/unbound
1
0
Fork 0
mirror of https://github.com/NLnetLabs/unbound.git synced 2025-12-24 00:29:58 -05:00
Code Issues Projects Releases Packages Wiki Activity Actions

- Fix #441: Minimal NSEC range not accepted for top level domains.

Browse source
This commit is contained in:
W.C.A. Wijngaards 2021-03-17 14:04:02 +01:00
parent 0927fe6fc4
commit 0c07861404
2 changed files with 21 additions and 6 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

3
doc/Changelog
View file

@ -1,3 +1,6 @@
17 March 2021: Wouter
- Fix #441: Minimal NSEC range not accepted for top level domains.
11 March 2021: Wouter 11 March 2021: Wouter
- Fix parse of LOC RR type for decimetres. - Fix parse of LOC RR type for decimetres.

24
iterator/iter_scrub.c
View file

@ -640,25 +640,37 @@ store_rrset(sldns_buffer* pkt, struct msg_parse* msg, struct module_env* env,
/** /**
* Check if right hand name in NSEC is within zone * Check if right hand name in NSEC is within zone
* @param pkt: the packet buffer for decompression.
* @param rrset: the NSEC rrset * @param rrset: the NSEC rrset
* @param zonename: the zone name. * @param zonename: the zone name.
* @return true if BAD. * @return true if BAD.
*/ */
static int sanitize_nsec_is_overreach(struct rrset_parse* rrset, static int sanitize_nsec_is_overreach(sldns_buffer* pkt,
uint8_t* zonename) struct rrset_parse* rrset, uint8_t* zonename)
{ {
struct rr_parse* rr; struct rr_parse* rr;
uint8_t* rhs; uint8_t* rhs;
size_t len; size_t len;
log_assert(rrset->type == LDNS_RR_TYPE_NSEC); log_assert(rrset->type == LDNS_RR_TYPE_NSEC);
for(rr = rrset->rr_first; rr; rr = rr->next) { for(rr = rrset->rr_first; rr; rr = rr->next) {
size_t pos = sldns_buffer_position(pkt);
size_t rhspos;
rhs = rr->ttl_data+4+2; rhs = rr->ttl_data+4+2;
len = sldns_read_uint16(rr->ttl_data+4); len = sldns_read_uint16(rr->ttl_data+4);
if(!dname_valid(rhs, len)) { rhspos = rhs-sldns_buffer_begin(pkt);
/* malformed domain name in rdata */ sldns_buffer_set_position(pkt, rhspos);
if(pkt_dname_len(pkt) == 0) {
/* malformed */
sldns_buffer_set_position(pkt, pos);
return 1; return 1;
} }
if(!dname_subdomain_c(rhs, zonename)) { if(sldns_buffer_position(pkt)-rhspos > len) {
/* outside of rdata boundaries */
sldns_buffer_set_position(pkt, pos);
return 1;
}
sldns_buffer_set_position(pkt, pos);
if(!pkt_sub(pkt, rhs, zonename)) {
/* overreaching */ /* overreaching */
return 1; return 1;
} }
@ -791,7 +803,7 @@ scrub_sanitize(sldns_buffer* pkt, struct msg_parse* msg,
} }
/* check if right hand side of NSEC is within zone */ /* check if right hand side of NSEC is within zone */
if(rrset->type == LDNS_RR_TYPE_NSEC && if(rrset->type == LDNS_RR_TYPE_NSEC &&
sanitize_nsec_is_overreach(rrset, zonename)) { sanitize_nsec_is_overreach(pkt, rrset, zonename)) {
remove_rrset("sanitize: removing overreaching NSEC " remove_rrset("sanitize: removing overreaching NSEC "
"RRset:", pkt, msg, prev, &rrset); "RRset:", pkt, msg, prev, &rrset);
continue; continue;