nsupdate: reject attempts to add NSEC3PARAM with excessive iterations

bin/nsupdate/nsupdate.c

@@ -57,6 +57,7 @@
 #include <dns/masterdump.h>
 #include <dns/message.h>
 #include <dns/name.h>
+#include <dns/nsec3.h>
 #include <dns/rcode.h>
 #include <dns/rdata.h>
 #include <dns/rdataclass.h>
@@ -1968,6 +1969,19 @@ parseclass:
 		}
 	}
 
+	if (!isdelete && rdata->type == dns_rdatatype_nsec3param) {
+		dns_rdata_nsec3param_t nsec3param;
+
+		result = dns_rdata_tostruct(rdata, &nsec3param, NULL);
+		check_result(result, "dns_rdata_tostruct");
+		if (nsec3param.iterations > dns_nsec3_maxiterations()) {
+			fprintf(stderr,
+				"NSEC3PARAM has excessive iterations (> %u)\n",
+				dns_nsec3_maxiterations());
+			goto failure;
+		}
+	}
+
 doneparsing:
 
 	result = dns_message_gettemprdatalist(updatemsg, &rdatalist);

bin/tests/system/nsupdate/tests.sh

@@ -1190,6 +1190,8 @@ then
 echo_i "failed"; status=1
 fi
 
+n=`expr $n + 1`
+ret=0
 echo_i "check that DS to the zone apex is ignored ($n)"
 $DIG $DIGOPTS +tcp +norec example DS @10.53.0.3 > dig.out.pre.test$n || ret=1
 grep "status: NOERROR" dig.out.pre.test$n > /dev/null || ret=1
@@ -1209,7 +1211,20 @@ grep "status: NOERROR" dig.out.post.test$n > /dev/null || ret=1
 grep "ANSWER: 0," dig.out.post.test$n > /dev/null || ret=1
 [ $ret = 0 ] || { echo_i "failed"; status=1; }
 
-if $FEATURETEST --gssapi ; then
+n=`expr $n + 1`
+ret=0
+echo_i "check that excessive NSEC3PARAM iterations are rejected by nsupdate ($n)"
+$NSUPDATE -d <<END > nsupdate.out-$n 2>&1 && ret=1
+server 10.53.0.3 ${PORT}
+zone example
+update add example 0 in NSEC3PARAM 1 0 151 -
+END
+grep "NSEC3PARAM has excessive iterations (> 150)" nsupdate.out-$n || ret=1
+[ $ret = 0 ] || { echo_i "failed"; status=1; }
+
+if ! $FEATURETEST --gssapi ; then
+  echo_i "SKIPPED: GSSAPI tests"
+else
   n=`expr $n + 1`
   ret=0
   echo_i "check krb5-self match ($n)"