Merge branch 'nsec3-iters-downgrade-2' into 'master'

validator: avoid assertion in an edge-case See merge request knot/knot-resolver!1169
author: Tomas Krizek <tomas.krizek@nic.cz> 2021-05-03 11:55:03 +0200
committer: Tomas Krizek <tomas.krizek@nic.cz> 2021-05-03 11:55:03 +0200
commit: fa42b4aeffb552c6a8d648c7f658f9f40c9d3558 (patch)
tree: 3856c19f1f28473adeca7ace5b1f2d17d71840d6
parent: Merge !1171: ci: utilize test reports (diff)
parent: validator: avoid assertion in an edge-case (diff)
download: knot-resolver-fa42b4aeffb552c6a8d648c7f658f9f40c9d3558.tar.xz
knot-resolver-fa42b4aeffb552c6a8d648c7f658f9f40c9d3558.zip
5 files changed, 15 insertions, 1 deletions
diff --git a/NEWS b/NEWS
index 813e6c89..b296d9a7 100644
--- a/NEWS
+++ b/NEWS
@@ -1,6 +1,11 @@
 Knot Resolver 5.3.2 (2021-0m-dd)
 ================================
 
+Security
+--------
+- validator: fix 5.3.1 regression on over-limit NSEC3 edge case (!1169)
+  Assertion might be triggered by query/answer, potentially DoS.
+
 Improvements
 ------------
 - cache: improve handling write errors from LMDB (!1159)
diff --git a/lib/dnssec/nsec3.c b/lib/dnssec/nsec3.c
index e9e536a3..f3a48c06 100644
--- a/lib/dnssec/nsec3.c
+++ b/lib/dnssec/nsec3.c
@@ -596,6 +596,13 @@ int kr_nsec3_wildcard_answer_response_check(const knot_pkt_t *pkt, knot_section_
 		if (rrset->type != KNOT_RRTYPE_NSEC3) {
 			continue;
 		}
+		if (knot_nsec3_iters(rrset->rrs.rdata) > KR_NSEC3_MAX_ITERATIONS) {
+			/* Avoid hashing with too many iterations.
+			 * If we get here, the `sname` wildcard probably ends up bogus,
+			 * but it gets downgraded to KR_RANK_INSECURE when validator
+			 * gets to verifying one of these over-limit NSEC3 RRs. */
+			continue;
+		}
 		int ret = covers_name(&flags, rrset, sname);
 		if (ret != 0) {
 			return ret;
diff --git a/lib/dnssec/nsec3.h b/lib/dnssec/nsec3.h
index 1e316f56..0fdbfcef 100644
--- a/lib/dnssec/nsec3.h
+++ b/lib/dnssec/nsec3.h
@@ -39,6 +39,7 @@ int kr_nsec3_name_error_response_check(const knot_pkt_t *pkt, knot_section_t sec
  *                     KNOT_ERANGE - NSEC3 RR that covers a wildcard
  *                     has been found, but has opt-out flag set;
  *                     otherwise - error.
+ * Records over KR_NSEC3_MAX_ITERATIONS are skipped, so you probably get kr_error(ENOENT).
  */
 int kr_nsec3_wildcard_answer_response_check(const knot_pkt_t *pkt, knot_section_t section_id,
                                             const knot_dname_t *sname, int trim_to_next);
diff --git a/lib/layer/validate.c b/lib/layer/validate.c
index cf5dda2d..cf5c88a1 100644
--- a/lib/layer/validate.c
+++ b/lib/layer/validate.c
@@ -894,7 +894,8 @@ static void rank_records(struct kr_query *qry, bool any_rank, enum kr_rank rank_
 								 bailiwick) < 0) {
 				continue;
 			}
-			if (kr_rank_test(entry->rank, KR_RANK_INITIAL)
+			if (any_rank
+			    || kr_rank_test(entry->rank, KR_RANK_INITIAL)
 			    || kr_rank_test(entry->rank, KR_RANK_TRY)
 			    || kr_rank_test(entry->rank, KR_RANK_MISSING)) {
 				kr_rank_set(&entry->rank, rank_to_set);
diff --git a/tests/integration/deckard b/tests/integration/deckard
-Subproject 01eabd23dc3315ef9d27ae7f5fe19c142dcbdfd
+Subproject c4628156e6cf499e8052c321b24793a176ded49
author	Tomas Krizek <tomas.krizek@nic.cz>	2021-05-03 11:55:03 +0200
committer	Tomas Krizek <tomas.krizek@nic.cz>	2021-05-03 11:55:03 +0200
commit	fa42b4aeffb552c6a8d648c7f658f9f40c9d3558 (patch)
tree	3856c19f1f28473adeca7ace5b1f2d17d71840d6
parent	Merge !1171: ci: utilize test reports (diff)
parent	validator: avoid assertion in an edge-case (diff)
download	knot-resolver-fa42b4aeffb552c6a8d648c7f658f9f40c9d3558.tar.xz knot-resolver-fa42b4aeffb552c6a8d648c7f658f9f40c9d3558.zip