summaryrefslogtreecommitdiffstats
path: root/usr.sbin/nsd/tsig.c
diff options
context:
space:
mode:
Diffstat (limited to 'usr.sbin/nsd/tsig.c')
-rw-r--r--usr.sbin/nsd/tsig.c19
1 files changed, 15 insertions, 4 deletions
diff --git a/usr.sbin/nsd/tsig.c b/usr.sbin/nsd/tsig.c
index 91ca99b93b5..8b24fd1bf07 100644
--- a/usr.sbin/nsd/tsig.c
+++ b/usr.sbin/nsd/tsig.c
@@ -546,10 +546,10 @@ int
tsig_find_rr(tsig_record_type *tsig, buffer_type *packet)
{
size_t saved_position = buffer_position(packet);
- size_t rrcount = (QDCOUNT(packet)
- + ANCOUNT(packet)
- + NSCOUNT(packet)
- + ARCOUNT(packet));
+ size_t rrcount = ((size_t)QDCOUNT(packet)
+ + (size_t)ANCOUNT(packet)
+ + (size_t)NSCOUNT(packet)
+ + (size_t)ARCOUNT(packet));
size_t i;
int result;
@@ -557,6 +557,11 @@ tsig_find_rr(tsig_record_type *tsig, buffer_type *packet)
tsig->status = TSIG_NOT_PRESENT;
return 1;
}
+ if(rrcount > 65530) {
+ /* impossibly high number of records in 64k, reject packet */
+ buffer_set_position(packet, saved_position);
+ return 0;
+ }
buffer_set_position(packet, QHEADERSZ);
@@ -635,6 +640,12 @@ tsig_parse_rr(tsig_record_type *tsig, buffer_type *packet)
tsig->mac_size = 0;
return 0;
}
+ if(tsig->mac_size > 16384) {
+ /* the hash should not be too big, really 512/8=64 bytes */
+ buffer_set_position(packet, tsig->position);
+ tsig->mac_size = 0;
+ return 0;
+ }
tsig->mac_data = (uint8_t *) region_alloc_init(
tsig->rr_region, buffer_current(packet), tsig->mac_size);
buffer_skip(packet, tsig->mac_size);
Copyright © 1996 – 2023 Jason A. Donenfeld. All Rights Reverse Engineered.