diff options
| author | Ronan Pigott <ronan@rjp.ie> | 2024-11-05 04:45:27 +0100 |
|---|---|---|
| committer | Lennart Poettering <lennart@poettering.net> | 2024-11-05 09:33:35 +0100 |
| commit | a791fea0d682cb2eb0555fdb32b340fecb042796 (patch) | |
| tree | 8e8aaf2a5bda8f06201d5fdbc742427a83ab4bf1 /src/network | |
| parent | sd-daemon: some tweaks (#35011) (diff) | |
| download | systemd-a791fea0d682cb2eb0555fdb32b340fecb042796.tar.xz systemd-a791fea0d682cb2eb0555fdb32b340fecb042796.zip | |
network: limit the total number of Encrypted DNS options processed
We need a sensible limit on the number of Encrypted DNS options allowed
so that the set of resolvers per link does not grow without bound.
Fixes: 0c90d1d2f243 ("ndisc: Parse RFC9463 encrypted DNS (DNR) option")
Diffstat (limited to 'src/network')
| -rw-r--r-- | src/network/networkd-ndisc.c | 6 |
1 files changed, 6 insertions, 0 deletions
diff --git a/src/network/networkd-ndisc.c b/src/network/networkd-ndisc.c index 0773e9e8ca..677ddc6b1c 100644 --- a/src/network/networkd-ndisc.c +++ b/src/network/networkd-ndisc.c @@ -30,6 +30,7 @@ #define NDISC_DNSSL_MAX 64U #define NDISC_RDNSS_MAX 64U +#define NDISC_ENCRYPTED_DNS_MAX 64U /* Not defined in the RFC, but let's set an upper limit to make not consume much memory. * This should be safe as typically there should be at most 1 portal per network. */ #define NDISC_CAPTIVE_PORTAL_MAX 64U @@ -1942,6 +1943,11 @@ static int ndisc_router_process_encrypted_dns(Link *link, sd_ndisc_router *rt) { return 0; } + if (set_size(link->ndisc_dnr) >= NDISC_ENCRYPTED_DNS_MAX) { + log_link_warning(link, "Too many Encrypted DNS records received. Only first %u records will be used.", NDISC_ENCRYPTED_DNS_MAX); + return 0; + } + new_entry = new(NDiscDNR, 1); if (!new_entry) return log_oom(); |