summaryrefslogtreecommitdiff
path: root/src/resolve/resolved-dns-dnssec.c
diff options
context:
space:
mode:
authorTom Gundersen <teg@jklm.no>2015-12-28 19:05:59 +0100
committerTom Gundersen <teg@jklm.no>2016-01-01 16:48:52 +0100
commit935a999f7d6881af2e888316be7165801420dc5f (patch)
tree45cccae2fb53d6951986a850636a2f881c0b9de0 /src/resolve/resolved-dns-dnssec.c
parentac04adbeb9d0b19e77a715715be24779f7dcf1b2 (diff)
resoled: dnssec - don't refuse to verify answer due to too many unrelated RRs
Let VERIFY_RRS_MAX be about the max number of RRs in an RRSet that we actually try to verify, not about the total number of RRs in the RRSet.
Diffstat (limited to 'src/resolve/resolved-dns-dnssec.c')
-rw-r--r--src/resolve/resolved-dns-dnssec.c6
1 files changed, 3 insertions, 3 deletions
diff --git a/src/resolve/resolved-dns-dnssec.c b/src/resolve/resolved-dns-dnssec.c
index 6a6aabc18f..552fd48fba 100644
--- a/src/resolve/resolved-dns-dnssec.c
+++ b/src/resolve/resolved-dns-dnssec.c
@@ -525,9 +525,6 @@ int dnssec_verify_rrset(
if (md_algorithm < 0)
return md_algorithm;
- if (a->n_rrs > VERIFY_RRS_MAX)
- return -E2BIG;
-
r = dnssec_rrsig_expired(rrsig, realtime);
if (r < 0)
return r;
@@ -552,6 +549,9 @@ int dnssec_verify_rrset(
return r;
list[n++] = rr;
+
+ if (n > VERIFY_RRS_MAX)
+ return -E2BIG;
}
if (n <= 0)