resoled: dnssec - don't refuse to verify answer due to too many unrelated RRs

Let VERIFY_RRS_MAX be about the max number of RRs in an RRSet that we actually try to verify, not about the total number of RRs in the RRSet.
author: Tom Gundersen <teg@jklm.no> 2015-12-28 19:05:59 +0100
committer: Tom Gundersen <teg@jklm.no> 2016-01-01 16:48:52 +0100
commit: 935a999f7d6881af2e888316be7165801420dc5f (patch)
tree: 45cccae2fb53d6951986a850636a2f881c0b9de0 /src
parent: ac04adbeb9d0b19e77a715715be24779f7dcf1b2 (diff)
1 files changed, 3 insertions, 3 deletions
diff --git a/src/resolve/resolved-dns-dnssec.c b/src/resolve/resolved-dns-dnssec.c
index 6a6aabc18f..552fd48fba 100644
--- a/src/resolve/resolved-dns-dnssec.c
+++ b/src/resolve/resolved-dns-dnssec.c
@@ -525,9 +525,6 @@ int dnssec_verify_rrset(
         if (md_algorithm < 0)
                 return md_algorithm;
 
-        if (a->n_rrs > VERIFY_RRS_MAX)
-                return -E2BIG;
-
         r = dnssec_rrsig_expired(rrsig, realtime);
         if (r < 0)
                 return r;
@@ -552,6 +549,9 @@ int dnssec_verify_rrset(
                         return r;
 
                 list[n++] = rr;
+
+                if (n > VERIFY_RRS_MAX)
+                        return -E2BIG;
         }
 
         if (n <= 0)
author	Tom Gundersen <teg@jklm.no>	2015-12-28 19:05:59 +0100
committer	Tom Gundersen <teg@jklm.no>	2016-01-01 16:48:52 +0100
commit	935a999f7d6881af2e888316be7165801420dc5f (patch)
tree	45cccae2fb53d6951986a850636a2f881c0b9de0 /src
parent	ac04adbeb9d0b19e77a715715be24779f7dcf1b2 (diff)