From bfcc67093d1a8f3f38d3b412fca24b00e775caaa Mon Sep 17 00:00:00 2001 From: Tom Gundersen Date: Tue, 28 Jul 2015 23:16:52 +0200 Subject: resolved: packet - refuse empty type bitmaps The NSEC type itself must at least be in the bitmap, so NSEC records with empty bitmaps must be bogus. --- src/resolve/resolved-dns-packet.c | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) (limited to 'src/resolve') diff --git a/src/resolve/resolved-dns-packet.c b/src/resolve/resolved-dns-packet.c index 88a3089a72..39951a362c 100644 --- a/src/resolve/resolved-dns-packet.c +++ b/src/resolve/resolved-dns-packet.c @@ -1666,8 +1666,12 @@ int dns_packet_read_rr(DnsPacket *p, DnsResourceRecord **ret, size_t *start) { if (r < 0) goto fail; - /* NSEC RRs with empty bitmpas makes no sense, but the RFC does not explicitly forbid them - so we allow it */ + /* The types bitmap must contain at least the NSEC record itself, so an empty bitmap means + something went wrong */ + if (bitmap_isclear(rr->nsec.types)) { + r = -EBADMSG; + goto fail; + } break; -- cgit v1.2.3-54-g00ecf