[PR #586] [MERGED] Wrap types in Restrict and force validation before usage #1534

New issue

Closed

opened 2026-03-16 02:11:38 +03:00 by kerem · 0 comments

kerem commented

2026-03-16 02:11:38 +03:00

Owner

📋 Pull Request Information

Original PR: https://github.com/hickory-dns/hickory-dns/pull/586
Author: @bluejekyll
Created: 10/13/2018
Status: ✅ Merged
Merged: 10/19/2018
Merged by: @bluejekyll

Base: master ← Head: decoder-restrictions

📝 Commits (7)

69d2af5 Add Restrict type
5df662d make all data read from BinDecoder Restrict
68faf34 make rdata_length Restricted on all reads
ea7fe66 properly verify NSEC type map length data
ab5ae89 document all usages of unverified
8abe735 convert all checked_math ops to return Restrict
9ec1098 stricter length evaluation in nsec3 and fixed review changes from #586

📊 Changes

31 files changed (+591 additions, -331 deletions)

View changed files

📝 proto/src/op/header.rs (+14 -31)
📝 proto/src/rr/dns_class.rs (+3 -3)
📝 proto/src/rr/dnssec/algorithm.rs (+1 -1)
📝 proto/src/rr/dnssec/digest_type.rs (+1 -0)
📝 proto/src/rr/dnssec/rdata/dnskey.rs (+24 -19)
📝 proto/src/rr/dnssec/rdata/ds.rs (+12 -7)
📝 proto/src/rr/dnssec/rdata/key.rs (+20 -19)
📝 proto/src/rr/dnssec/rdata/mod.rs (+1 -1)
📝 proto/src/rr/dnssec/rdata/nsec.rs (+10 -7)
📝 proto/src/rr/dnssec/rdata/nsec3.rs (+63 -31)
📝 proto/src/rr/dnssec/rdata/nsec3param.rs (+13 -9)
📝 proto/src/rr/dnssec/rdata/sig.rs (+19 -43)
📝 proto/src/rr/domain/name.rs (+15 -11)
📝 proto/src/rr/rdata/a.rs (+4 -4)
📝 proto/src/rr/rdata/aaaa.rs (+8 -8)
📝 proto/src/rr/rdata/caa.rs (+34 -29)
📝 proto/src/rr/rdata/mx.rs (+1 -1)
📝 proto/src/rr/rdata/null.rs (+5 -12)
📝 proto/src/rr/rdata/opt.rs (+16 -8)
📝 proto/src/rr/rdata/soa.rs (+5 -5)

...and 11 more files

📄 Description

@hawkw you may be interested in reviewing this? I broke it up into three commits to follow more easily.

@oherrala I think this completely covers all uses where data read from potentially malicious packets.

_{🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.}

## 📋 Pull Request Information **Original PR:** https://github.com/hickory-dns/hickory-dns/pull/586 **Author:** [@bluejekyll](https://github.com/bluejekyll) **Created:** 10/13/2018 **Status:** ✅ Merged **Merged:** 10/19/2018 **Merged by:** [@bluejekyll](https://github.com/bluejekyll) **Base:** `master` ← **Head:** `decoder-restrictions` --- ### 📝 Commits (7) - [`69d2af5`](https://github.com/hickory-dns/hickory-dns/commit/69d2af5dde4511a7ed0ec4ad46e89ae52ee2153a) Add Restrict type - [`5df662d`](https://github.com/hickory-dns/hickory-dns/commit/5df662d23d0c85d6669194caeeec5807e21461e0) make all data read from BinDecoder Restrict - [`68faf34`](https://github.com/hickory-dns/hickory-dns/commit/68faf342455c4994ebe9ef45b67bb49094a3389a) make rdata_length Restricted on all reads - [`ea7fe66`](https://github.com/hickory-dns/hickory-dns/commit/ea7fe66adb4324f8532bd7ae5e7c812ab81154af) properly verify NSEC type map length data - [`ab5ae89`](https://github.com/hickory-dns/hickory-dns/commit/ab5ae89e27d7169d30ef8615b7d61646af596385) document all usages of unverified - [`8abe735`](https://github.com/hickory-dns/hickory-dns/commit/8abe7359ddb2f07a96d611d7f9c45ded3539d14f) convert all checked_math ops to return Restrict - [`9ec1098`](https://github.com/hickory-dns/hickory-dns/commit/9ec10981a45d99a41a58b65c731e44bdaf682f73) stricter length evaluation in nsec3 and fixed review changes from #586 ### 📊 Changes **31 files changed** (+591 additions, -331 deletions) <details> <summary>View changed files</summary> 📝 `proto/src/op/header.rs` (+14 -31) 📝 `proto/src/rr/dns_class.rs` (+3 -3) 📝 `proto/src/rr/dnssec/algorithm.rs` (+1 -1) 📝 `proto/src/rr/dnssec/digest_type.rs` (+1 -0) 📝 `proto/src/rr/dnssec/rdata/dnskey.rs` (+24 -19) 📝 `proto/src/rr/dnssec/rdata/ds.rs` (+12 -7) 📝 `proto/src/rr/dnssec/rdata/key.rs` (+20 -19) 📝 `proto/src/rr/dnssec/rdata/mod.rs` (+1 -1) 📝 `proto/src/rr/dnssec/rdata/nsec.rs` (+10 -7) 📝 `proto/src/rr/dnssec/rdata/nsec3.rs` (+63 -31) 📝 `proto/src/rr/dnssec/rdata/nsec3param.rs` (+13 -9) 📝 `proto/src/rr/dnssec/rdata/sig.rs` (+19 -43) 📝 `proto/src/rr/domain/name.rs` (+15 -11) 📝 `proto/src/rr/rdata/a.rs` (+4 -4) 📝 `proto/src/rr/rdata/aaaa.rs` (+8 -8) 📝 `proto/src/rr/rdata/caa.rs` (+34 -29) 📝 `proto/src/rr/rdata/mx.rs` (+1 -1) 📝 `proto/src/rr/rdata/null.rs` (+5 -12) 📝 `proto/src/rr/rdata/opt.rs` (+16 -8) 📝 `proto/src/rr/rdata/soa.rs` (+5 -5) _...and 11 more files_ </details> ### 📄 Description @hawkw you may be interested in reviewing this? I broke it up into three commits to follow more easily. @oherrala I think this completely covers all uses where data read from potentially malicious packets. --- <sub>🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.</sub>