From 73341adc34493738c94681baabe05f3038610147 Mon Sep 17 00:00:00 2001
From: Mark Andrews <marka@isc.org>
Date: Thu, 13 Aug 2020 13:08:17 +1000
Subject: [PATCH] IPSECKEY: require non-zero length public keys

(cherry picked from commit d7f701480341f33cfbad3bfff9ee3876859e0ce2)
Conflict: NA
Reference: https://gitlab.isc.org/isc-projects/bind9/-/commit/73341adc34493738c94681baabe05f3038610147
---
 lib/dns/rdata/generic/ipseckey_45.c | 14 +++++++++++---
 1 file changed, 11 insertions(+), 3 deletions(-)

diff --git a/lib/dns/rdata/generic/ipseckey_45.c b/lib/dns/rdata/generic/ipseckey_45.c
index d85f79576f..d986cc956e 100644
--- a/lib/dns/rdata/generic/ipseckey_45.c
+++ b/lib/dns/rdata/generic/ipseckey_45.c
@@ -217,18 +217,23 @@ fromwire_ipseckey(ARGS_FROMWIRE) {
 
 	switch (region.base[1]) {
 	case 0:
+		if (region.length < 4) {
+			return (ISC_R_UNEXPECTEDEND);
+		}
 		isc_buffer_forward(source, region.length);
 		return (mem_tobuffer(target, region.base, region.length));
 
 	case 1:
-		if (region.length < 7)
+		if (region.length < 8) {
 			return (ISC_R_UNEXPECTEDEND);
+		}
 		isc_buffer_forward(source, region.length);
 		return (mem_tobuffer(target, region.base, region.length));
 
 	case 2:
-		if (region.length < 19)
+		if (region.length < 20) {
 			return (ISC_R_UNEXPECTEDEND);
+		}
 		isc_buffer_forward(source, region.length);
 		return (mem_tobuffer(target, region.base, region.length));
 
@@ -238,7 +243,10 @@ fromwire_ipseckey(ARGS_FROMWIRE) {
 		RETERR(dns_name_fromwire(&name, source, dctx, options, target));
 		isc_buffer_activeregion(source, &region);
 		isc_buffer_forward(source, region.length);
-		return(mem_tobuffer(target, region.base, region.length));
+		if (region.length < 1) {
+			return (ISC_R_UNEXPECTEDEND);
+		}
+		return (mem_tobuffer(target, region.base, region.length));
 
 	default:
 		return (ISC_R_NOTIMPLEMENTED);
-- 
2.23.0