update to nsd 4.1.21

OK sthen

25 files changed, 74 insertions, 31 deletions

diff --git a/usr.sbin/nsd/Makefile.in b/usr.sbin/nsd/Makefile.in
index 5bd2364579c..16d193f766d 100644
--- a/usr.sbin/nsd/Makefile.in
+++ b/usr.sbin/nsd/Makefile.in
@@ -291,6 +291,7 @@ zlexer.c:	$(srcdir)/zlexer.lex
 		echo '#include "config.h"' > $@ ;\
 		$(LEX) -i -t $(srcdir)/zlexer.lex >> $@ ;\
 	fi
+	@if test ! -f $@; then echo "No $@ : need flex and bison to compile from source repository"; exit 1; fi
 
 zparser.c zparser.h: $(srcdir)/zparser.y
 	$(YACC) -d -o zparser.c $(srcdir)/zparser.y
@@ -300,6 +301,7 @@ configlexer.c:	$(srcdir)/configlexer.lex
 		echo '#include "configyyrename.h"' > $@ ;\
 		$(LEX) -i -t $(srcdir)/configlexer.lex >> $@ ;\
 	fi
+	@if test ! -f $@; then echo "No $@ : need flex and bison to compile from source repository"; exit 1; fi
 
 configparser.c configparser.h:	$(srcdir)/configparser.y
 	$(YACC) -d -o configparser.c $(srcdir)/configparser.y
diff --git a/usr.sbin/nsd/config.h.in b/usr.sbin/nsd/config.h.in
index 3cc7d4e546d..795944fb1af 100644
--- a/usr.sbin/nsd/config.h.in
+++ b/usr.sbin/nsd/config.h.in
@@ -392,6 +392,9 @@
 /* Define to the maximum message length to pass to syslog. */
 #undef MAXSYSLOGMSGLEN
 
+/* Define this to cleanup memory at exit (eg. for valgrind, etc.) */
+#undef MEMCLEAN
+
 /* Define if memcmp() does not compare unsigned bytes */
 #undef MEMCMP_IS_BROKEN
 
diff --git a/usr.sbin/nsd/configlexer.lex b/usr.sbin/nsd/configlexer.lex
index 547e7db3e02..1f2628d7695 100644
--- a/usr.sbin/nsd/configlexer.lex
+++ b/usr.sbin/nsd/configlexer.lex
@@ -272,6 +272,7 @@ zonefiles-write{COLON}	{ LEXOUT(("v(%s) ", yytext)); return VAR_ZONEFILES_WRITE;
 log-time-ascii{COLON}	{ LEXOUT(("v(%s) ", yytext)); return VAR_LOG_TIME_ASCII;}
 round-robin{COLON}	{ LEXOUT(("v(%s) ", yytext)); return VAR_ROUND_ROBIN;}
 minimal-responses{COLON} { LEXOUT(("v(%s) ", yytext)); return VAR_MINIMAL_RESPONSES;}
+refuse-any{COLON}	{ LEXOUT(("v(%s) ", yytext)); return VAR_REFUSE_ANY;}
 max-refresh-time{COLON}	{ LEXOUT(("v(%s) ", yytext)); return VAR_MAX_REFRESH_TIME;}
 min-refresh-time{COLON}	{ LEXOUT(("v(%s) ", yytext)); return VAR_MIN_REFRESH_TIME;}
 max-retry-time{COLON}	{ LEXOUT(("v(%s) ", yytext)); return VAR_MAX_RETRY_TIME;}
diff --git a/usr.sbin/nsd/configparser.y b/usr.sbin/nsd/configparser.y
index 36c87c44d19..b9bf8200f99 100644
--- a/usr.sbin/nsd/configparser.y
+++ b/usr.sbin/nsd/configparser.y
@@ -71,7 +71,7 @@ extern config_parser_state_type* cfg_parser;
 %token VAR_ROUND_ROBIN VAR_ZONESTATS VAR_REUSEPORT VAR_VERSION
 %token VAR_MAX_REFRESH_TIME VAR_MIN_REFRESH_TIME
 %token VAR_MAX_RETRY_TIME VAR_MIN_RETRY_TIME
-%token VAR_MULTI_MASTER_CHECK VAR_MINIMAL_RESPONSES
+%token VAR_MULTI_MASTER_CHECK VAR_MINIMAL_RESPONSES VAR_REFUSE_ANY
 
 %%
 toplevelvars: /* empty */ | toplevelvars toplevelvar ;
@@ -103,7 +103,7 @@ content_server: server_ip_address | server_ip_transparent | server_debug_mode |
 	server_zonefiles_check | server_do_ip4 | server_do_ip6 |
 	server_zonefiles_write | server_log_time_ascii | server_round_robin |
 	server_reuseport | server_version | server_ip_freebind |
-	server_minimal_responses;
+	server_minimal_responses | server_refuse_any;
 server_ip_address: VAR_IP_ADDRESS STRING 
 	{ 
 		OUTYY(("P(server_ip_address:%s)\n", $2)); 
@@ -304,6 +304,16 @@ server_minimal_responses: VAR_MINIMAL_RESPONSES STRING
 		}
 	}
 	;
+server_refuse_any: VAR_REFUSE_ANY STRING 
+	{ 
+		OUTYY(("P(server_refuse_any:%s)\n", $2)); 
+		if(strcmp($2, "yes") != 0 && strcmp($2, "no") != 0)
+			yyerror("expected yes or no.");
+		else {
+			cfg_parser->opt->refuse_any = (strcmp($2, "yes")==0);
+		}
+	}
+	;
 server_server_count: VAR_SERVER_COUNT STRING
 	{ 
 		OUTYY(("P(server_server_count:%s)\n", $2)); 
diff --git a/usr.sbin/nsd/configure b/usr.sbin/nsd/configure
index 8050504dd46..53d6619bf50 100644
--- a/usr.sbin/nsd/configure
+++ b/usr.sbin/nsd/configure
@@ -1,6 +1,6 @@
 #! /bin/sh
 # Guess values for system-dependent variables and create Makefiles.
-# Generated by GNU Autoconf 2.69 for NSD 4.1.20.
+# Generated by GNU Autoconf 2.69 for NSD 4.1.21.
 #
 # Report bugs to <nsd-bugs@nlnetlabs.nl>.
 #
@@ -580,8 +580,8 @@ MAKEFLAGS=
 # Identity of this package.
 PACKAGE_NAME='NSD'
 PACKAGE_TARNAME='nsd'
-PACKAGE_VERSION='4.1.20'
-PACKAGE_STRING='NSD 4.1.20'
+PACKAGE_VERSION='4.1.21'
+PACKAGE_STRING='NSD 4.1.21'
 PACKAGE_BUGREPORT='nsd-bugs@nlnetlabs.nl'
 PACKAGE_URL=''
 
@@ -1286,7 +1286,7 @@ if test "$ac_init_help" = "long"; then
   # Omit some internal or obsolete options to make the list less imposing.
   # This message is too long to be a string in the A/UX 3.1 sh.
   cat <<_ACEOF
-\`configure' configures NSD 4.1.20 to adapt to many kinds of systems.
+\`configure' configures NSD 4.1.21 to adapt to many kinds of systems.
 
 Usage: $0 [OPTION]... [VAR=VALUE]...
 
@@ -1347,7 +1347,7 @@ fi
 
 if test -n "$ac_init_help"; then
   case $ac_init_help in
-     short | recursive ) echo "Configuration of NSD 4.1.20:";;
+     short | recursive ) echo "Configuration of NSD 4.1.21:";;
    esac
   cat <<\_ACEOF
 
@@ -1496,7 +1496,7 @@ fi
 test -n "$ac_init_help" && exit $ac_status
 if $ac_init_version; then
   cat <<\_ACEOF
-NSD configure 4.1.20
+NSD configure 4.1.21
 generated by GNU Autoconf 2.69
 
 Copyright (C) 2012 Free Software Foundation, Inc.
@@ -2205,7 +2205,7 @@ cat >config.log <<_ACEOF
 This file contains any messages produced by compilers while
 running configure, to aid debugging if configure makes a mistake.
 
-It was created by NSD $as_me 4.1.20, which was
+It was created by NSD $as_me 4.1.21, which was
 generated by GNU Autoconf 2.69.  Invocation command line was
 
   $ $0 $@
@@ -9784,7 +9784,7 @@ cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1
 # report actual input values of CONFIG_FILES etc. instead of their
 # values after options handling.
 ac_log="
-This file was extended by NSD $as_me 4.1.20, which was
+This file was extended by NSD $as_me 4.1.21, which was
 generated by GNU Autoconf 2.69.  Invocation command line was
 
   CONFIG_FILES    = $CONFIG_FILES
@@ -9846,7 +9846,7 @@ _ACEOF
 cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1
 ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`"
 ac_cs_version="\\
-NSD config.status 4.1.20
+NSD config.status 4.1.21
 configured by $0, generated by GNU Autoconf 2.69,
   with options \\"\$ac_cs_config\\"
 
diff --git a/usr.sbin/nsd/configure.ac b/usr.sbin/nsd/configure.ac
index 8c11b400c6a..be37d81776a 100644
--- a/usr.sbin/nsd/configure.ac
+++ b/usr.sbin/nsd/configure.ac
@@ -4,7 +4,7 @@ dnl
 
 sinclude(acx_nlnetlabs.m4)
 
-AC_INIT(NSD,4.1.20,nsd-bugs@nlnetlabs.nl)
+AC_INIT(NSD,4.1.21,nsd-bugs@nlnetlabs.nl)
 AC_CONFIG_HEADER([config.h])
 
 CFLAGS="$CFLAGS"
diff --git a/usr.sbin/nsd/dbcreate.c b/usr.sbin/nsd/dbcreate.c
index d8d4608505b..1d91225f092 100644
--- a/usr.sbin/nsd/dbcreate.c
+++ b/usr.sbin/nsd/dbcreate.c
@@ -234,7 +234,7 @@ print_rrs(FILE* out, struct zone* zone)
 static int
 print_header(zone_type* zone, FILE* out, time_t* now, const char* logs)
 {
-	char buf[4096];
+	char buf[4096+16];
 	/* ctime prints newline at end of this line */
 	snprintf(buf, sizeof(buf), "; zone %s written by NSD %s on %s",
 		zone->opts->name, PACKAGE_VERSION, ctime(now));
diff --git a/usr.sbin/nsd/difffile.c b/usr.sbin/nsd/difffile.c
index 3bcfba6d6e1..eb53c851342 100644
--- a/usr.sbin/nsd/difffile.c
+++ b/usr.sbin/nsd/difffile.c
@@ -1277,6 +1277,7 @@ apply_ixfr_for_zone(nsd_type* nsd, zone_type* zonedb, FILE* in,
 	uint8_t committed;
 	uint32_t i;
 	int num_bytes = 0;
+	assert(zonedb);
 
 	/* read zone name and serial */
 	if(!diff_read_32(in, &type)) {
@@ -1363,6 +1364,7 @@ apply_ixfr_for_zone(nsd_type* nsd, zone_type* zonedb, FILE* in,
 				i, num_parts, &is_axfr, &delete_mode,
 				&rr_count, (nsd->db->udb?&z:NULL), &zonedb,
 				patname_buf, &num_bytes, &softfail);
+			assert(zonedb);
 			if(ret == 0) {
 				log_msg(LOG_ERR, "bad ixfr packet part %d in diff file for %s", (int)i, zone_buf);
 				xfrd_unlink_xfrfile(nsd, xfrfilenr);
diff --git a/usr.sbin/nsd/nsd-checkconf.8.in b/usr.sbin/nsd/nsd-checkconf.8.in
index 2425e69e4fe..43013b8b42a 100644
--- a/usr.sbin/nsd/nsd-checkconf.8.in
+++ b/usr.sbin/nsd/nsd-checkconf.8.in
@@ -1,4 +1,4 @@
-.TH "nsd\-checkconf" "8" "Jun 14, 2016" "NLnet Labs" "nsd 4.1.10"
+.TH "nsd\-checkconf" "8" "May 14, 2018" "NLnet Labs" "nsd 4.1.21"
 .\" Copyright (c) 2001\-2008, NLnet Labs. All rights reserved.
 .\" See LICENSE for the license.
 .SH "NAME"
diff --git a/usr.sbin/nsd/nsd-checkconf.c b/usr.sbin/nsd/nsd-checkconf.c
index 6f3354fa95b..a31e3db0cec 100644
--- a/usr.sbin/nsd/nsd-checkconf.c
+++ b/usr.sbin/nsd/nsd-checkconf.c
@@ -369,6 +369,7 @@ config_print_zone(nsd_options_type* opt, const char* k, int s, const char *o,
 		SERV_GET_BIN(log_time_ascii, o);
 		SERV_GET_BIN(round_robin, o);
 		SERV_GET_BIN(minimal_responses, o);
+		SERV_GET_BIN(refuse_any, o);
 		/* str */
 		SERV_GET_PATH(final, database, o);
 		SERV_GET_STR(identity, o);
@@ -508,6 +509,7 @@ config_test_print_server(nsd_options_type* opt)
 	printf("\tlog-time-ascii: %s\n", opt->log_time_ascii?"yes":"no");
 	printf("\tround-robin: %s\n", opt->round_robin?"yes":"no");
 	printf("\tminimal-responses: %s\n", opt->minimal_responses?"yes":"no");
+	printf("\trefuse-any: %s\n", opt->refuse_any?"yes":"no");
 	printf("\tverbosity: %d\n", opt->verbosity);
 	for(ip = opt->ip_addresses; ip; ip=ip->next)
 	{
diff --git a/usr.sbin/nsd/nsd-checkzone.8.in b/usr.sbin/nsd/nsd-checkzone.8.in
index 2be9443d388..4903bd0d8c6 100644
--- a/usr.sbin/nsd/nsd-checkzone.8.in
+++ b/usr.sbin/nsd/nsd-checkzone.8.in
@@ -1,4 +1,4 @@
-.TH "nsd\-checkzone" "8" "Jun 14, 2016" "NLnet Labs" "nsd 4.1.10"
+.TH "nsd\-checkzone" "8" "May 14, 2018" "NLnet Labs" "nsd 4.1.21"
 .\" Copyright (c) 2014, NLnet Labs. All rights reserved.
 .\" See LICENSE for the license.
 .SH "NAME"
diff --git a/usr.sbin/nsd/nsd-control.8.in b/usr.sbin/nsd/nsd-control.8.in
index bf8d90d2fc0..b195a4cb3d3 100644
--- a/usr.sbin/nsd/nsd-control.8.in
+++ b/usr.sbin/nsd/nsd-control.8.in
@@ -1,4 +1,4 @@
-.TH "nsd\-control" "8" "Jun 14, 2016" "NLnet Labs" "nsd 4.1.10"
+.TH "nsd\-control" "8" "May 14, 2018" "NLnet Labs" "nsd 4.1.21"
 .\" Copyright (c) 2011, NLnet Labs. All rights reserved.
 .\" See LICENSE for the license.
 .SH "NAME"
diff --git a/usr.sbin/nsd/nsd-mem.c b/usr.sbin/nsd/nsd-mem.c
index 9383f84861a..53c8958b109 100644
--- a/usr.sbin/nsd/nsd-mem.c
+++ b/usr.sbin/nsd/nsd-mem.c
@@ -313,7 +313,7 @@ main(int argc, char *argv[])
 		}
 	}
 	argc -= optind;
-	argv += optind;
+	/* argv += optind; move along argv for positional arguments */
 
 	/* Commandline parse error */
 	if (argc != 0) {
diff --git a/usr.sbin/nsd/nsd.8.in b/usr.sbin/nsd/nsd.8.in
index 89afd9ca159..96004600ac8 100644
--- a/usr.sbin/nsd/nsd.8.in
+++ b/usr.sbin/nsd/nsd.8.in
@@ -1,9 +1,9 @@
-.TH "NSD" "8" "Jun 14, 2016" "NLnet Labs" "NSD 4.1.10"
+.TH "NSD" "8" "May 14, 2018" "NLnet Labs" "NSD 4.1.21"
 .\" Copyright (c) 2001\-2008, NLnet Labs. All rights reserved.
 .\" See LICENSE for the license.
 .SH "NAME"
 .B nsd
-\- Name Server Daemon (NSD) version 4.1.10.
+\- Name Server Daemon (NSD) version 4.1.21.
 .SH "SYNOPSIS"
 .B nsd
 .RB [ \-4 ] 
diff --git a/usr.sbin/nsd/nsd.conf.5.in b/usr.sbin/nsd/nsd.conf.5.in
index ec2cdd6d894..bdac602efb8 100644
--- a/usr.sbin/nsd/nsd.conf.5.in
+++ b/usr.sbin/nsd/nsd.conf.5.in
@@ -1,4 +1,4 @@
-.TH "nsd.conf" "5" "Jun 14, 2016" "NLnet Labs" "nsd 4.1.10"
+.TH "nsd.conf" "5" "May 14, 2018" "NLnet Labs" "nsd 4.1.21"
 .\" Copyright (c) 2001\-2008, NLnet Labs. All rights reserved.
 .\" See LICENSE for the license.
 .SH "NAME"
@@ -377,6 +377,12 @@ that reduces packets, but exactly to the fragmentation length, the nsd.conf
 option reduces packets as small as possible.
 The default is no.
 .TP
+.B refuse\-any:\fR <yes or no>
+Refuse queries of type ANY.  This is useful to stop query floods trying
+to get large responses.  Note that rrl ratelimiting also has type ANY as
+a ratelimiting type.
+The default is no.
+.TP
 .B zonefiles\-check:\fR <yes or no>
 Make NSD check the mtime of zone files on start and sighup.  If you
 disable it it starts faster (less disk activity in case of a lot of zones).
diff --git a/usr.sbin/nsd/nsd.conf.sample.in b/usr.sbin/nsd/nsd.conf.sample.in
index 1b6ceef4361..7cb2e719b46 100644
--- a/usr.sbin/nsd/nsd.conf.sample.in
+++ b/usr.sbin/nsd/nsd.conf.sample.in
@@ -135,6 +135,9 @@ server:
 	# minimal-responses only emits extra data for referrals.
 	# minimal-responses: no
 
+	# refuse queries of type ANY.  For stopping floods.
+	# refuse-any: no
+
 	# check mtime of all zone files on start and sighup
 	# zonefiles-check: yes
 	
diff --git a/usr.sbin/nsd/options.c b/usr.sbin/nsd/options.c
index dd6d29b446a..d0bed6a9b94 100644
--- a/usr.sbin/nsd/options.c
+++ b/usr.sbin/nsd/options.c
@@ -65,6 +65,7 @@ nsd_options_create(region_type* region)
 	opt->log_time_ascii = 1;
 	opt->round_robin = 0; /* also packet.h::round_robin */
 	opt->minimal_responses = 0; /* also packet.h::minimal_responses */
+	opt->refuse_any = 0;
 	opt->server_count = 1;
 	opt->tcp_count = 100;
 	opt->tcp_query_count = 0;
diff --git a/usr.sbin/nsd/options.h b/usr.sbin/nsd/options.h
index bbfbbf98c41..fddfa8d4239 100644
--- a/usr.sbin/nsd/options.h
+++ b/usr.sbin/nsd/options.h
@@ -94,6 +94,7 @@ struct nsd_options {
 	int log_time_ascii;
 	int round_robin;
 	int minimal_responses;
+	int refuse_any;
 	int reuseport;
 
         /** remote control section. enable toggle. */
diff --git a/usr.sbin/nsd/query.c b/usr.sbin/nsd/query.c
index 834104e0761..29cf9f45562 100644
--- a/usr.sbin/nsd/query.c
+++ b/usr.sbin/nsd/query.c
@@ -184,7 +184,7 @@ query_cleanup(void *data)
 
 query_type *
 query_create(region_type *region, uint16_t *compressed_dname_offsets,
-	size_t compressed_dname_size)
+	size_t compressed_dname_size, domain_type **compressed_dnames)
 {
 	query_type *query
 		= (query_type *) region_alloc_zero(region, sizeof(query_type));
@@ -192,6 +192,7 @@ query_create(region_type *region, uint16_t *compressed_dname_offsets,
 	   saves many mallocs in the server */
 	query->region = region_create_custom(xalloc, free, 16384, 16384/8, 32, 0);
 	query->compressed_dname_offsets = compressed_dname_offsets;
+	query->compressed_dnames = compressed_dnames;
 	query->packet = buffer_create(region, QIOBUFSZ);
 	region_add_cleanup(region, query_cleanup, query);
 	query->compressed_dname_offsets_size = compressed_dname_size;
@@ -1215,6 +1216,7 @@ answer_lookup_zone(struct nsd *nsd, struct query *q, answer_type *answer,
 			RCODE_SET(q->packet, RCODE_REFUSE);
 		return;
 	}
+	assert(closest_encloser); /* otherwise, no q->zone would be found */
 	if(!q->zone->apex || !q->zone->soa_rrset) {
 		/* zone is configured but not loaded */
 		if(q->cname_count == 0)
@@ -1488,6 +1490,8 @@ query_process(query_type *q, nsd_type *nsd)
 	if (query_state == QUERY_PROCESSED || query_state == QUERY_IN_AXFR) {
 		return query_state;
 	}
+	if(q->qtype == TYPE_ANY && nsd->options->refuse_any)
+		return query_error(q, NSD_RC_REFUSE);
 
 	answer_query(nsd, q);
 
diff --git a/usr.sbin/nsd/query.h b/usr.sbin/nsd/query.h
index f22b7229e81..0a511f5931b 100644
--- a/usr.sbin/nsd/query.h
+++ b/usr.sbin/nsd/query.h
@@ -96,7 +96,7 @@ struct query {
 
 	/* Used for dname compression.  */
 	uint16_t     compressed_dname_count;
-	domain_type *compressed_dnames[MAXRRSPP];
+	domain_type **compressed_dnames;
 
 	 /*
 	  * Indexed by domain->number, index 0 is reserved for the
@@ -172,7 +172,8 @@ void query_add_compression_domain(struct query *query,
  */
 query_type *query_create(region_type *region,
 			 uint16_t *compressed_dname_offsets,
-			 size_t compressed_dname_size);
+			 size_t compressed_dname_size,
+			 domain_type **compressed_dnames);
 
 /*
  * Reset a query structure so it is ready for receiving and processing
diff --git a/usr.sbin/nsd/server.c b/usr.sbin/nsd/server.c
index 2531ff6424b..36334da89a8 100644
--- a/usr.sbin/nsd/server.c
+++ b/usr.sbin/nsd/server.c
@@ -219,6 +219,7 @@ static void configure_handler_event_types(short event_types);
 static uint16_t *compressed_dname_offsets = 0;
 static uint32_t compression_table_capacity = 0;
 static uint32_t compression_table_size = 0;
+static domain_type* compressed_dnames[MAXRRSPP];
 
 /*
  * Remove the specified pid from the list of child pids.  Returns -1 if
@@ -2056,13 +2057,15 @@ server_child(struct nsd *nsd)
 	if (nsd->server_kind & NSD_SERVER_UDP) {
 #if (defined(NONBLOCKING_IS_BROKEN) || !defined(HAVE_RECVMMSG))
 		udp_query = query_create(server_region,
-			compressed_dname_offsets, compression_table_size);
+			compressed_dname_offsets, compression_table_size,
+			compressed_dnames);
 #else
 		udp_query = NULL;
 		memset(msgs, 0, sizeof(msgs));
 		for (i = 0; i < NUM_RECV_PER_SELECT; i++) {
 			queries[i] = query_create(server_region,
-				compressed_dname_offsets, compression_table_size);
+				compressed_dname_offsets,
+				compression_table_size, compressed_dnames);
 			query_reset(queries[i], UDP_MAX_MESSAGE_LEN, 0);
 			iovecs[i].iov_base          = buffer_begin(queries[i]->packet);
 			iovecs[i].iov_len           = buffer_remaining(queries[i]->packet);;
@@ -2935,7 +2938,7 @@ handle_tcp_accept(int fd, short event, void* arg)
 		tcp_region, sizeof(struct tcp_handler_data));
 	tcp_data->region = tcp_region;
 	tcp_data->query = query_create(tcp_region, compressed_dname_offsets,
-		compression_table_size);
+		compression_table_size, compressed_dnames);
 	tcp_data->nsd = data->nsd;
 	tcp_data->query_count = 0;
 
diff --git a/usr.sbin/nsd/udb.c b/usr.sbin/nsd/udb.c
index 3e91c7c8b4c..1b41ab91156 100644
--- a/usr.sbin/nsd/udb.c
+++ b/usr.sbin/nsd/udb.c
@@ -62,7 +62,8 @@ chunk_get_last(void* base, udb_void chunk, int exp)
 static void
 chunk_set_last(void* base, udb_void chunk, int exp, uint8_t value)
 {
-	*((uint8_t*)UDB_REL(base, chunk+(1<<exp)-1)) = value;
+	assert(exp >= 0 && exp <= 63);
+	*((uint8_t*)UDB_REL(base, chunk+((uint64_t)1<<exp)-1)) = value;
 }
 
 /** create udb_base from a file descriptor (must be at start of file) */
@@ -627,6 +628,7 @@ int udb_exp_size(uint64_t a)
 		i >>= 1;
 		x ++;
 	}
+	assert( x>=0 && x<=63);
 	assert( ((uint64_t)1<<x) >= a);
 	assert( x==0 || ((uint64_t)1<<(x-1)) < a);
 	return x;
diff --git a/usr.sbin/nsd/xfr-inspect.c b/usr.sbin/nsd/xfr-inspect.c
index e31d64a413a..c87ff47ebcc 100644
--- a/usr.sbin/nsd/xfr-inspect.c
+++ b/usr.sbin/nsd/xfr-inspect.c
@@ -375,7 +375,7 @@ list_header(FILE* in)
 	time_start = (time_t)time_start_0;
 
 	/* printf("; type:		%x\n", (int)type); */
-	printf("; commited:	%d (%s)\n", (int)committed,
+	printf("; committed:	%d (%s)\n", (int)committed,
 		committed?"yes":"no");
 	printf("; num_parts:	%d\n", (int)num_parts);
 	printf("; time_end:	%d.%6.6d %s", (int)time_end_0,
diff --git a/usr.sbin/nsd/xfrd-disk.c b/usr.sbin/nsd/xfrd-disk.c
index 33f1dcac248..6ae8cd6249b 100644
--- a/usr.sbin/nsd/xfrd-disk.c
+++ b/usr.sbin/nsd/xfrd-disk.c
@@ -559,7 +559,7 @@ tempxfrname(char* buf, size_t sz, struct nsd* nsd, uint64_t number)
 FILE*
 xfrd_open_xfrfile(struct nsd* nsd, uint64_t number, char* mode)
 {
-	char fname[1024];
+	char fname[1200];
 	FILE* xfr;
 	tempxfrname(fname, sizeof(fname), nsd, number);
 	xfr = fopen(fname, mode);
@@ -579,7 +579,7 @@ xfrd_open_xfrfile(struct nsd* nsd, uint64_t number, char* mode)
 void
 xfrd_unlink_xfrfile(struct nsd* nsd, uint64_t number)
 {
-	char fname[1024];
+	char fname[1200];
 	tempxfrname(fname, sizeof(fname), nsd, number);
 	if(unlink(fname) == -1) {
 		log_msg(LOG_WARNING, "could not unlink %s: %s", fname,
@@ -590,7 +590,7 @@ xfrd_unlink_xfrfile(struct nsd* nsd, uint64_t number)
 uint64_t
 xfrd_get_xfrfile_size(struct nsd* nsd, uint64_t number )
 {
-	char fname[1024];
+	char fname[1200];
 	struct stat tempxfr_stat;
 	tempxfrname(fname, sizeof(fname), nsd, number);
 	if( stat( fname, &tempxfr_stat ) < 0 ) {
diff --git a/usr.sbin/nsd/zonec.c b/usr.sbin/nsd/zonec.c
index 0938c35a573..3caec0686f8 100644
--- a/usr.sbin/nsd/zonec.c
+++ b/usr.sbin/nsd/zonec.c
@@ -805,6 +805,7 @@ precsize_aton (char *cp, char **endptr)
 	}
 
 	if(mval >= poweroften[7]) {
+		assert(poweroften[7] != 0);
 		/* integer overflow possible for *100 */
 		mantissa = mval / poweroften[7];
 		exponent = 9; /* max */
@@ -816,6 +817,7 @@ precsize_aton (char *cp, char **endptr)
 			if (cmval < poweroften[exponent+1])
 				break;
 
+		assert(poweroften[exponent] != 0);
 		mantissa = cmval / poweroften[exponent];
 	}
 	if (mantissa > 9)