From 031ee9e2791bfe02a289b41bf5f35b3ee0534a27 Mon Sep 17 00:00:00 2001
From: Mark Andrews <marka@isc.org>
Date: Thu, 13 Aug 2020 12:46:55 +1000
Subject: [PATCH] NSEC3: reject records with a zero length hash field

---
 lib/dns/rdata/generic/nsec3_50.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/lib/dns/rdata/generic/nsec3_50.c b/lib/dns/rdata/generic/nsec3_50.c
index 95d04213ba..f9f356a576 100644
--- a/lib/dns/rdata/generic/nsec3_50.c
+++ b/lib/dns/rdata/generic/nsec3_50.c
@@ -212,7 +212,7 @@ fromwire_nsec3(ARGS_FROMWIRE) {
 	hashlen = sr.base[0];
 	isc_region_consume(&sr, 1);
 
-	if (sr.length < hashlen) {
+	if (hashlen < 1 || sr.length < hashlen) {
 		RETERR(DNS_R_FORMERR);
 	}
 	isc_region_consume(&sr, hashlen);