DANE: ignore undersized TLSA records

(cherry picked from commit 834dec3ec34411a106695fec7b89622c17980feb)

diff --git a/src/src/dns.c b/src/src/dns.c
index 83de7c26684ea3a6ad640089899c59e986dcb453..524f7d9c34e6aeb7551c9647e3d78f0ceafbac1e 100644 (file)
--- a/src/src/dns.c
+++ b/src/src/dns.c
@@ -878,7 +878,7 @@ for (i = 0; i < 10; i++)
   uschar * data;
   dns_record *rr, cname_rr, type_rr;
   dns_scan dnss;
-  int datalen, rc;
+  int rc;
 
   /* DNS lookup failures get passed straight back. */
 
@@ -940,8 +940,8 @@ for (i = 0; i < 10; i++)
     return DNS_FAIL;
 
   data = store_get(256);
-  if ((datalen = dn_expand(dnsa->answer, dnsa->answer + dnsa->answerlen,
-    cname_rr.data, (DN_EXPAND_ARG4_TYPE)data, 256)) < 0)
+  if (dn_expand(dnsa->answer, dnsa->answer + dnsa->answerlen,
+      cname_rr.data, (DN_EXPAND_ARG4_TYPE)data, 256) < 0)
     return DNS_FAIL;
   name = data;
 

diff --git a/src/src/tls-gnu.c b/src/src/tls-gnu.c
index 7418a2799b608b16979643fc59602340f8248a86..5274cfc54d7cf4a5b56dda2fb091962c5d6fc9ba 100644 (file)
--- a/src/src/tls-gnu.c
+++ b/src/src/tls-gnu.c
@@ -2198,7 +2198,7 @@ dane_data_len = store_get(i * sizeof(int));
 for (rr = dns_next_rr(dnsa, &dnss, RESET_ANSWERS), i = 0;
      rr;
      rr = dns_next_rr(dnsa, &dnss, RESET_NEXT)
-    ) if (rr->type == T_TLSA)
+    ) if (rr->type == T_TLSA && rr->size > 3)
   {
   const uschar * p = rr->data;
   uint8_t usage = p[0], sel = p[1], type = p[2];

diff --git a/src/src/tls-openssl.c b/src/src/tls-openssl.c
index 068a0d872868a881e68a6507fa4fc31960a23d6e..c131f5520d0db0fddd557116dd7d048a2fd6c8fc 100644 (file)
--- a/src/src/tls-openssl.c
+++ b/src/src/tls-openssl.c
@@ -2180,7 +2180,7 @@ if (DANESSL_init(ssl, NULL, hostnames) != 1)
 for (rr = dns_next_rr(dnsa, &dnss, RESET_ANSWERS);
      rr;
      rr = dns_next_rr(dnsa, &dnss, RESET_NEXT)
-    ) if (rr->type == T_TLSA)
+    ) if (rr->type == T_TLSA && rr->size > 3)
   {
   const uschar * p = rr->data;
   uint8_t usage, selector, mtype;