diff options
| -rw-r--r-- | lib/layer/validate.c | 13 |
1 files changed, 8 insertions, 5 deletions
diff --git a/lib/layer/validate.c b/lib/layer/validate.c index a99ee588..f081d869 100644 --- a/lib/layer/validate.c +++ b/lib/layer/validate.c @@ -2,7 +2,6 @@ * SPDX-License-Identifier: GPL-3.0-or-later */ -#include <assert.h> #include <errno.h> #include <sys/time.h> #include <stdio.h> @@ -87,7 +86,8 @@ static void log_bogus_rrsig(kr_rrset_validation_ctx_t *vctx, const struct kr_que /** Check that given CNAME could be generated by given DNAME (no DNSSEC validation). */ static bool cname_matches_dname(const knot_rrset_t *rr_cn, const knot_rrset_t *rr_dn) { - assert(rr_cn->type == KNOT_RRTYPE_CNAME && rr_dn->type == KNOT_RRTYPE_DNAME); + if (!kr_assume(rr_cn->type == KNOT_RRTYPE_CNAME && rr_dn->type == KNOT_RRTYPE_DNAME)) + return false; /* When DNAME substitution happens, let's consider the "prefix" * that is carried over and the "suffix" that is replaced. * (Here we consider the label order used in wire and presentation.) */ @@ -423,7 +423,8 @@ static int update_parent_keys(struct kr_request *req, uint16_t answer_type) { struct kr_query *qry = req->current_query; struct kr_query *parent = qry->parent; - assert(parent); + if (!kr_assume(parent)) + return KR_STATE_FAIL; switch(answer_type) { case KNOT_RRTYPE_DNSKEY: VERBOSE_MSG(qry, "<= parent: updating DNSKEY\n"); @@ -747,7 +748,8 @@ static int unsigned_forward(kr_layer_t *ctx, knot_pkt_t *pkt) qry->flags.DNSSEC_WANT = false; qry->flags.DNSSEC_INSECURE = true; if (qry->forward_flags.CNAME) { - assert(qry->cname_parent); + if (!kr_assume(qry->cname_parent)) + return KR_STATE_FAIL; qry->cname_parent->flags.DNSSEC_WANT = false; qry->cname_parent->flags.DNSSEC_INSECURE = true; } else if (pkt_rcode == KNOT_RCODE_NOERROR && qry->parent != NULL) { @@ -764,7 +766,8 @@ static int unsigned_forward(kr_layer_t *ctx, knot_pkt_t *pkt) qry->flags.DNSSEC_WANT = false; qry->flags.DNSSEC_INSECURE = true; if (qry->forward_flags.CNAME) { - assert(qry->cname_parent); + if (!kr_assume(qry->cname_parent)) + return KR_STATE_FAIL; qry->cname_parent->flags.DNSSEC_WANT = false; qry->cname_parent->flags.DNSSEC_INSECURE = true; } |