BIND 10 #117: NSEC3 RDATA needs more tests and has serious bugs
BIND 10 Development
do-not-reply at isc.org
Thu Feb 17 00:54:40 UTC 2011
#117: NSEC3 RDATA needs more tests and has serious bugs
-------------------------------------+-------------------------------------
Reporter: jinmei | Owner: jinmei
Type: defect | Status: accepted
Priority: | Milestone: A-Team-
critical | Sprint-20110223
Component: | Resolution:
DNSPacket API | Sensitive: 0
Keywords: | Add Hours to Ticket: 0
Estimated Number of Hours: 0.0 | Total Hours: 5.0
Billable?: 0 |
Internal?: 0 |
-------------------------------------+-------------------------------------
Comment (by jinmei):
Branch trac117 is ready for review.
This branch contains several bug fixes:
- reject invalid type bitmaps
- reject other invalid parameters (too large salt/hash, etc), both
"from wire" and "from text" cases
For the bitmap fix, I've unitified the check code for both NSEC and
NSEC3, and extracts it as a single public (but effectively private)
function: checkRRTypeBitmaps(). It's essentially a bare copy of the
check logic of the NSEC class, in which sense it only has to be
reviewed lightly (for reducing review load; intensive review is always
welcome nevertheless).
I thought we should share more code for NSEC and NSEC3 this way, but
as this branch has been getting big, I'll stop here and leave further
changes to a separate ticket.
This is the proposed changelog entry:
{{{
167.? [bug] jinmei
Tightened validity checks in the NSEC3 constructors, both "from
"text" and "from wire". Specifically, wire data containing
invalid type bitmaps or invalid lengths of salt or hash is now
correctly rejected.
(Trac #117, git TBD)
}}}
--
Ticket URL: <http://bind10.isc.org/ticket/117#comment:8>
BIND 10 Development <http://bind10.isc.org>
BIND 10 Development
More information about the bind10-tickets
mailing list