From 1f4ba71f562cf04c6c28537feb41d92bb509f310 Mon Sep 17 00:00:00 2001 From: Evan Hunt Date: Wed, 8 Jan 2025 18:08:05 -0800 Subject: [PATCH] detect when closest-encloser name is too long there was a database bug in which dns_db_find() could get a partial match for the query name, but still set foundname to match the full query name. this triggered an assertion when query_addwildcardproof() assumed that foundname would be shorter. the database bug has been fixed, but in case it happens again, we can just copy the name instead of splitting it. we will also log a warning that the closest-encloser name was invalid. --- lib/ns/query.c | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/lib/ns/query.c b/lib/ns/query.c index fe00defd30..6de4d2bd01 100644 --- a/lib/ns/query.c +++ b/lib/ns/query.c @@ -11407,7 +11407,15 @@ again: * Add no qname proof. */ labels = dns_name_countlabels(cname) + 1; - if (dns_name_countlabels(name) == labels) { + if (labels > maxlabels) { + char namebuf[DNS_NAME_FORMATSIZE]; + dns_name_format(cname, namebuf, sizeof(namebuf)); + ns_client_log(qctx->client, DNS_LOGCATEGORY_DNSSEC, + NS_LOGMODULE_QUERY, ISC_LOG_WARNING, + "closest-encloser name too long: %s", + namebuf); + dns_name_copy(name, wname); + } else if (labels == maxlabels) { dns_name_copy(name, wname); } else { dns_name_split(name, labels, NULL, wname);