resolved: don't accept NSEC3 iteration fields unbounded
This commit is contained in:
parent
31d5192d0c
commit
a8f158b929
|
@ -53,6 +53,9 @@
|
|||
/* Permit a maximum clock skew of 1h 10min. This should be enough to deal with DST confusion */
|
||||
#define SKEW_MAX (1*USEC_PER_HOUR + 10*USEC_PER_MINUTE)
|
||||
|
||||
/* Maximum number of NSEC3 iterations we'll do. */
|
||||
#define NSEC3_ITERATIONS_MAX 2048
|
||||
|
||||
/*
|
||||
* The DNSSEC Chain of trust:
|
||||
*
|
||||
|
@ -1087,6 +1090,9 @@ int dnssec_nsec3_hash(DnsResourceRecord *nsec3, const char *name, void *ret) {
|
|||
if (nsec3->key->type != DNS_TYPE_NSEC3)
|
||||
return -EINVAL;
|
||||
|
||||
if (nsec3->nsec3.iterations > NSEC3_ITERATIONS_MAX)
|
||||
return -EOPNOTSUPP;
|
||||
|
||||
algorithm = nsec3_hash_to_gcrypt_md(nsec3->nsec3.algorithm);
|
||||
if (algorithm < 0)
|
||||
return algorithm;
|
||||
|
@ -1155,6 +1161,9 @@ static int nsec3_is_good(DnsResourceRecord *rr, DnsAnswerFlags flags, DnsResourc
|
|||
/* Ignore NSEC3 RRs whose algorithm we don't know */
|
||||
if (nsec3_hash_to_gcrypt_md(rr->nsec3.algorithm) < 0)
|
||||
return 0;
|
||||
/* Ignore NSEC3 RRs with an excessive number of required iterations */
|
||||
if (rr->nsec3.iterations > NSEC3_ITERATIONS_MAX)
|
||||
return 0;
|
||||
|
||||
if (!nsec3)
|
||||
return 1;
|
||||
|
|
Loading…
Reference in a new issue