1 files changed, 15 insertions, 4 deletions

diff --git a/usr.sbin/nsd/tsig.c b/usr.sbin/nsd/tsig.c
index 91ca99b93b5..8b24fd1bf07 100644
--- a/usr.sbin/nsd/tsig.c
+++ b/usr.sbin/nsd/tsig.c
@@ -546,10 +546,10 @@ int
 tsig_find_rr(tsig_record_type *tsig, buffer_type *packet)
 {
 	size_t saved_position = buffer_position(packet);
-	size_t rrcount = (QDCOUNT(packet)
-			  + ANCOUNT(packet)
-			  + NSCOUNT(packet)
-			  + ARCOUNT(packet));
+	size_t rrcount = ((size_t)QDCOUNT(packet)
+			  + (size_t)ANCOUNT(packet)
+			  + (size_t)NSCOUNT(packet)
+			  + (size_t)ARCOUNT(packet));
 	size_t i;
 	int result;
 
@@ -557,6 +557,11 @@ tsig_find_rr(tsig_record_type *tsig, buffer_type *packet)
 		tsig->status = TSIG_NOT_PRESENT;
 		return 1;
 	}
+	if(rrcount > 65530) {
+		/* impossibly high number of records in 64k, reject packet */
+		buffer_set_position(packet, saved_position);
+		return 0;
+	}
 
 	buffer_set_position(packet, QHEADERSZ);
 
@@ -635,6 +640,12 @@ tsig_parse_rr(tsig_record_type *tsig, buffer_type *packet)
 		tsig->mac_size = 0;
 		return 0;
 	}
+	if(tsig->mac_size > 16384) {
+		/* the hash should not be too big, really 512/8=64 bytes */
+		buffer_set_position(packet, tsig->position);
+		tsig->mac_size = 0;
+		return 0;
+	}
 	tsig->mac_data = (uint8_t *) region_alloc_init(
 		tsig->rr_region, buffer_current(packet), tsig->mac_size);
 	buffer_skip(packet, tsig->mac_size);