resolved: packet - refuse empty type bitmaps

The NSEC type itself must at least be in the bitmap, so NSEC records with empty bitmaps must be bogus.
author: Tom Gundersen <teg@jklm.no> 2015-07-28 23:16:52 +0200
committer: Tom Gundersen <teg@jklm.no> 2015-07-28 23:25:52 +0200
commit: bfcc67093d1a8f3f38d3b412fca24b00e775caaa (patch)
tree: 7ab3bfd4c7729fe0ca535933c3ff3f9f15fe6c5f /src
parent: 2ad613addbabc3ffec6d12a1b5c62ff0d07b4a29 (diff)
1 files changed, 6 insertions, 2 deletions
diff --git a/src/resolve/resolved-dns-packet.c b/src/resolve/resolved-dns-packet.c
index 88a3089a72..39951a362c 100644
--- a/src/resolve/resolved-dns-packet.c
+++ b/src/resolve/resolved-dns-packet.c
@@ -1666,8 +1666,12 @@ int dns_packet_read_rr(DnsPacket *p, DnsResourceRecord **ret, size_t *start) {
                 if (r < 0)
                         goto fail;
 
-                /* NSEC RRs with empty bitmpas makes no sense, but the RFC does not explicitly forbid them
-                   so we allow it */
+                /* The types bitmap must contain at least the NSEC record itself, so an empty bitmap means
+                   something went wrong */
+                if (bitmap_isclear(rr->nsec.types)) {
+                        r = -EBADMSG;
+                        goto fail;
+                }
 
                 break;
author	Tom Gundersen <teg@jklm.no>	2015-07-28 23:16:52 +0200
committer	Tom Gundersen <teg@jklm.no>	2015-07-28 23:25:52 +0200
commit	bfcc67093d1a8f3f38d3b412fca24b00e775caaa (patch)
tree	7ab3bfd4c7729fe0ca535933c3ff3f9f15fe6c5f /src
parent	2ad613addbabc3ffec6d12a1b5c62ff0d07b4a29 (diff)