commit 2cacea42e4d45717bd0ce3ccfe8e78960245e5da Author: Simon Kelley Date: Wed Mar 25 23:04:08 2026 +0000 Verify rdlen field in RRSIG packets. CVE-2026-4891 Bug report from Royce M This avoids crafted packets which give a value for rdlen _less_ then the space taken up by the fixed data and the signer's name and engender a negative calculated length for the signature. diff --git a/src/dnssec.c b/src/dnssec.c index 0860daa..4bb0495 100644 --- a/src/dnssec.c +++ b/src/dnssec.c @@ -546,10 +546,14 @@ static int validate_rrset(time_t now, struct dns_header *header, size_t plen, in *ttl_out = ttl; } - + + /* Don't trust rdlen not to be too small and give us a negative sig_len + It has already been checked that it doesn't run us off the end + of the packet. */ + if ((sig_len = rdlen - (p - psav)) <= 0) + return STAT_BOGUS; + sig = p; - sig_len = rdlen - (p - psav); - nsigttl = htonl(orig_ttl); hash->update(ctx, 18, psav);