resolved: packet - refuse empty type bitmaps

The NSEC type itself must at least be in the bitmap, so NSEC records with empty bitmaps must be bogus.
2015-07-28 23:16:52 +02:00 · 2015-07-28 23:16:52 +02:00 · bfcc67093d
parent 2ad613addb
commit bfcc67093d
1 changed files with 6 additions and 2 deletions
--- a/src/resolve/resolved-dns-packet.c
+++ b/src/resolve/resolved-dns-packet.c
@ -1666,8 +1666,12 @@ int dns_packet_read_rr(DnsPacket *p, DnsResourceRecord **ret, size_t *start) {
                if (r < 0)
                        goto fail;

-                /* NSEC RRs with empty bitmpas makes no sense, but the RFC does not explicitly forbid them
-                   so we allow it */
+                /* The types bitmap must contain at least the NSEC record itself, so an empty bitmap means
+                   something went wrong */
+                if (bitmap_isclear(rr->nsec.types)) {
+                        r = -EBADMSG;
+                        goto fail;
+                }

                break;