Bound hash-iterations in DNSSEC NSEC3 checking.

2025-12-19 10:18:25 +00:00 · 2016-03-14 21:24:00 +00:00
parent b8ac466209
commit 40205a053e
1 changed files with 8 additions and 0 deletions
--- a/src/dnssec.c
+++ b/src/dnssec.c
@@ -1697,7 +1697,15 @@ static int prove_non_existence_nsec3(struct dns_header *header, size_t plen, uns
    return 0;

  p++; /* flags */
+
  GETSHORT (iterations, p);
+  /* Upper-bound iterations, to avoid DoS.
+     Strictly, there are lower bounds for small keys, but
+     since we don't have key size info here, at least limit
+     to the largest bound, for 4096-bit keys. RFC 5155 10.3 */
+  if (iterations > 2500)
+    return 0;
+  
  salt_len = *p++;
  salt = p;
  if (!CHECK_LEN(header, salt, plen, salt_len))