From e58eb371a047c3a8aee4ce9aaca0f7f3673432a4 Mon Sep 17 00:00:00 2001
From: Mukund Sivaraman <muks@isc.org>
Date: Mon, 16 Feb 2015 12:09:30 +0530
Subject: [PATCH] RPZ: Don't diff keys out of bounds, found via Valgrind
 (#38559)

---
 CHANGES       | 5 +++++
 lib/dns/rpz.c | 5 +++--
 2 files changed, 8 insertions(+), 2 deletions(-)

diff --git a/CHANGES b/CHANGES
index 3dd18b8cad..6f3e839055 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,8 @@
+4062.	[bug]		Fix an out-of-bounds read in RPZ code. If the
+			read succeeded, it doesn't result in a bug
+			during operation. If the read failed, named
+			could segfault. [RT #38559]
+
 4061.	[bug]		Handle timeout in legacy system test. [RT #38573]
 
 4060.	[bug]		dns_rdata_freestruct could be called on a
diff --git a/lib/dns/rpz.c b/lib/dns/rpz.c
index 7e06daf086..7a46148e96 100644
--- a/lib/dns/rpz.c
+++ b/lib/dns/rpz.c
@@ -866,13 +866,14 @@ diff_keys(const dns_rpz_cidr_key_t *key1, dns_rpz_prefix_t prefix1,
 	dns_rpz_prefix_t maxbit, bit;
 	int i;
 
+	bit = 0;
 	maxbit = ISC_MIN(prefix1, prefix2);
 
 	/*
 	 * find the first differing words
 	 */
-	for (i = 0, bit = 0;
-	     bit <= maxbit;
+	for (i = 0;
+	     bit < maxbit;
 	     i++, bit += DNS_RPZ_CIDR_WORD_BITS) {
 		delta = key1->w[i] ^ key2->w[i];
 		if (delta != 0) {