From df4711df64fd2ed7e60e08c65a0e220fe54e83b5 Mon Sep 17 00:00:00 2001 From: Daniel Baumann Date: Mon, 8 Apr 2024 16:54:47 +0200 Subject: Merging debian version 5.6.0-1+deb12u1. Signed-off-by: Daniel Baumann --- ...efuse-to-validate-answers-with-more-than-.patch | 37 ++++++++++++++++++++++ 1 file changed, 37 insertions(+) create mode 100644 debian/patches/0005-validator-refuse-to-validate-answers-with-more-than-.patch (limited to 'debian/patches/0005-validator-refuse-to-validate-answers-with-more-than-.patch') diff --git a/debian/patches/0005-validator-refuse-to-validate-answers-with-more-than-.patch b/debian/patches/0005-validator-refuse-to-validate-answers-with-more-than-.patch new file mode 100644 index 0000000..dd547a1 --- /dev/null +++ b/debian/patches/0005-validator-refuse-to-validate-answers-with-more-than-.patch @@ -0,0 +1,37 @@ +From: =?utf-8?b?VmxhZGltw61yIMSMdW7DoXQ=?= +Date: Mon, 12 Feb 2024 11:16:47 +0100 +Subject: validator: refuse to validate answers with more than 8 NSEC3 records + +--- + lib/layer/validate.c | 18 ++++++++++++++++++ + 1 file changed, 18 insertions(+) + +diff --git a/lib/layer/validate.c b/lib/layer/validate.c +index 5fea99d..95a7624 100644 +--- a/lib/layer/validate.c ++++ b/lib/layer/validate.c +@@ -1120,6 +1120,24 @@ static int validate(kr_layer_t *ctx, knot_pkt_t *pkt) + } + } + ++ /* Check for too many NSEC3 records. That's an issue, as some parts of validation ++ * are quadratic in their count, doing nontrivial computations inside. ++ * Also there seems to be no use in sending many NSEC3 records. */ ++ if (!qry->flags.CACHED) { ++ const knot_pktsection_t *sec = knot_pkt_section(pkt, KNOT_AUTHORITY); ++ int count = 0; ++ for (int i = 0; i < sec->count; ++i) ++ count += (knot_pkt_rr(sec, i)->type == KNOT_RRTYPE_NSEC3); ++ if (count > 8) { ++ VERBOSE_MSG(qry, "<= too many NSEC3 records in AUTHORITY (%d)\n", count); ++ kr_request_set_extended_error(req, KNOT_EDNS_EDE_NSEC3_ITERS, ++ /* It's not about iteration values per se, but close enough. */ ++ "DYRH: too many NSEC3 records"); ++ qry->flags.DNSSEC_BOGUS = true; ++ return KR_STATE_FAIL; ++ } ++ } ++ + if (knot_wire_get_aa(pkt->wire) && qtype == KNOT_RRTYPE_DNSKEY) { + const knot_rrset_t *ds = qry->zone_cut.trust_anchor; + if (ds && !kr_ds_algo_support(ds)) { -- cgit v1.2.3