From bb201c211a93b0f7f98974b2654bfd5f3f753d1f Mon Sep 17 00:00:00 2001
From: Simon Kelley <simon@thekelleys.org.uk>
Date: Thu, 6 Feb 2014 12:01:05 +0000
Subject: [PATCH] Protect against malicious DNS replies with very large RRsets.

---
 src/dnssec.c | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/src/dnssec.c b/src/dnssec.c
index ff14a80..7a69528 100644
--- a/src/dnssec.c
+++ b/src/dnssec.c
@@ -531,6 +531,11 @@ static int validate_rrset(time_t now, struct dns_header *header, size_t plen, in
 		{
 		  unsigned char **new;
 
+		  /* Protect against insane/maliciuos queries which bloat the workspace
+		     and eat CPU in the sort */
+		  if (rrsetidx >= 100)
+		    return STAT_INSECURE; 
+
 		  /* expand */
 		  if (!(new = whine_malloc((rrset_sz + 5) * sizeof(unsigned char **))))
 		    return STAT_INSECURE;