- Fix CVE-2023-50868, NSEC3 closest encloser proof can exhaust CPU.

NLnetLabs · Feb 13, 2024 · 92f2a1c · 92f2a1c
1 parent 882903f
commit 92f2a1c
Show file tree

Hide file tree

Showing 9 changed files with 611 additions and 167 deletions.
diff --git a/services/cache/dns.c b/services/cache/dns.c
@@ -690,6 +690,28 @@ tomsg(struct module_env* env, struct query_info* q, struct reply_info* r,
 	return msg;
 }
 
+struct dns_msg*
+dns_msg_deepcopy_region(struct dns_msg* origin, struct regional* region)
+{
+	size_t i;
+	struct dns_msg* res = NULL;
+	res = gen_dns_msg(region, &origin->qinfo, origin->rep->rrset_count);
+	if(!res) return NULL;
+	*res->rep = *origin->rep;
+	if(origin->rep->reason_bogus_str) {
+		res->rep->reason_bogus_str = regional_strdup(region,
+			origin->rep->reason_bogus_str);
+	}
+	for(i=0; i<res->rep->rrset_count; i++) {
+		res->rep->rrsets[i] = packed_rrset_copy_region(
+			origin->rep->rrsets[i], region, 0);
+		if(!res->rep->rrsets[i]) {
+			return NULL;
+		}
+	}
+	return res;
+}
+
 /** synthesize RRset-only response from cached RRset item */
 static struct dns_msg*
 rrset_msg(struct ub_packed_rrset_key* rrset, struct regional* region, 

diff --git a/services/cache/dns.h b/services/cache/dns.h
@@ -164,6 +164,15 @@ struct dns_msg* tomsg(struct module_env* env, struct query_info* q,
 	struct reply_info* r, struct regional* region, time_t now,
 	int allow_expired, struct regional* scratch);
 
+/**
+ * Deep copy a dns_msg to a region.
+ * @param origin: the dns_msg to copy.
+ * @param region: the region to copy all the data to.
+ * @return the new dns_msg or NULL on malloc error.
+ */
+struct dns_msg* dns_msg_deepcopy_region(struct dns_msg* origin,
+	struct regional* region);
+
 /** 
  * Find cached message 
  * @param env: module environment with the DNS cache.

diff --git a/testcode/unitverify.c b/testcode/unitverify.c
@@ -443,9 +443,9 @@ nsec3_hash_test_entry(struct entry* e, rbtree_type* ct,
 
 	ret = nsec3_hash_name(ct, region, buf, nsec3, 0, qname,
 		qinfo.qname_len, &hash);
-	if(ret != 1) {
+	if(ret < 1) {
 		printf("Bad nsec3_hash_name retcode %d\n", ret);
-		unit_assert(ret == 1);
+		unit_assert(ret == 1 || ret == 2);
 	}
 	unit_assert(hash->dname && hash->hash && hash->hash_len &&
 		hash->b32 && hash->b32_len);

diff --git a/testdata/val_nx_nsec3_collision.rpl b/testdata/val_nx_nsec3_collision.rpl
@@ -156,6 +156,9 @@ SECTION QUESTION
 www.example.com. IN A
 ENTRY_END
 
+; Allow validation resuming for NSEC3 hash calculations
+STEP 2 TIME_PASSES ELAPSE 0.05
+
 ; recursion happens here.
 STEP 10 CHECK_ANSWER
 ENTRY_BEGIN

diff --git a/util/fptr_wlist.c b/util/fptr_wlist.c
@@ -131,7 +131,7 @@ fptr_whitelist_comm_timer(void (*fptr)(void*))
 	else if(fptr == &pending_udp_timer_delay_cb) return 1;
 	else if(fptr == &worker_stat_timer_cb) return 1;
 	else if(fptr == &worker_probe_timer_cb) return 1;
-	else if(fptr == &validate_msg_signatures_timer_cb) return 1;
+	else if(fptr == &validate_suspend_timer_cb) return 1;
 #ifdef UB_ON_WINDOWS
 	else if(fptr == &wsvc_cron_cb) return 1;
 #endif