summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorTom Gundersen <teg@jklm.no>2015-07-28 23:16:52 +0200
committerTom Gundersen <teg@jklm.no>2015-07-28 23:25:52 +0200
commitbfcc67093d1a8f3f38d3b412fca24b00e775caaa (patch)
tree7ab3bfd4c7729fe0ca535933c3ff3f9f15fe6c5f
parentresolved: packet - fix read_type_window() (diff)
downloadsystemd-bfcc67093d1a8f3f38d3b412fca24b00e775caaa.tar.xz
systemd-bfcc67093d1a8f3f38d3b412fca24b00e775caaa.zip
resolved: packet - refuse empty type bitmaps
The NSEC type itself must at least be in the bitmap, so NSEC records with empty bitmaps must be bogus.
-rw-r--r--src/resolve/resolved-dns-packet.c8
1 files changed, 6 insertions, 2 deletions
diff --git a/src/resolve/resolved-dns-packet.c b/src/resolve/resolved-dns-packet.c
index 88a3089a72..39951a362c 100644
--- a/src/resolve/resolved-dns-packet.c
+++ b/src/resolve/resolved-dns-packet.c
@@ -1666,8 +1666,12 @@ int dns_packet_read_rr(DnsPacket *p, DnsResourceRecord **ret, size_t *start) {
if (r < 0)
goto fail;
- /* NSEC RRs with empty bitmpas makes no sense, but the RFC does not explicitly forbid them
- so we allow it */
+ /* The types bitmap must contain at least the NSEC record itself, so an empty bitmap means
+ something went wrong */
+ if (bitmap_isclear(rr->nsec.types)) {
+ r = -EBADMSG;
+ goto fail;
+ }
break;