resolved: don't accept NSEC3 iteration fields unbounded

2016-01-02 21:33:17 +01:00 · 2016-01-02 21:33:17 +01:00 · a8f158b929
parent 31d5192d0c
commit a8f158b929
1 changed files with 9 additions and 0 deletions
--- a/src/resolve/resolved-dns-dnssec.c
+++ b/src/resolve/resolved-dns-dnssec.c
@ -53,6 +53,9 @@
 /* Permit a maximum clock skew of 1h 10min. This should be enough to deal with DST confusion */
 #define SKEW_MAX (1*USEC_PER_HOUR + 10*USEC_PER_MINUTE)

+/* Maximum number of NSEC3 iterations we'll do. */
+#define NSEC3_ITERATIONS_MAX 2048
+
 /*
 * The DNSSEC Chain of trust:
 *
@ -1087,6 +1090,9 @@ int dnssec_nsec3_hash(DnsResourceRecord *nsec3, const char *name, void *ret) {
        if (nsec3->key->type != DNS_TYPE_NSEC3)
                return -EINVAL;

+        if (nsec3->nsec3.iterations > NSEC3_ITERATIONS_MAX)
+                return -EOPNOTSUPP;
+
        algorithm = nsec3_hash_to_gcrypt_md(nsec3->nsec3.algorithm);
        if (algorithm < 0)
                return algorithm;
@ -1155,6 +1161,9 @@ static int nsec3_is_good(DnsResourceRecord *rr, DnsAnswerFlags flags, DnsResourc
        /* Ignore NSEC3 RRs whose algorithm we don't know */
        if (nsec3_hash_to_gcrypt_md(rr->nsec3.algorithm) < 0)
                return 0;
+        /* Ignore NSEC3 RRs with an excessive number of required iterations */
+        if (rr->nsec3.iterations > NSEC3_ITERATIONS_MAX)
+                return 0;

        if (!nsec3)
                return 1;