Overview

File bsc1185389.90_CVE-2019-25038.9_02080f6b.patch of Package libunbound-devel-mini.22468

From 02080f6b180232f43b77f403d0c038e9360a460f Mon Sep 17 00:00:00 2001
From: "W.C.A. Wijngaards" <wouter@nlnetlabs.nl>
Date: Tue, 19 Nov 2019 16:32:40 +0100
Subject: [PATCH] - Fix Integer Overflows in Size Calculations,   reported by
 X41 D-Sec.

---
 dnscrypt/dnscrypt.c |   15 +++++++++++++--
 respip/respip.c     |    8 +++++++-
 2 files changed, 20 insertions(+), 3 deletions(-)

--- dnscrypt/dnscrypt.c
+++ dnscrypt/dnscrypt.c	2022-01-17 13:21:48.251587868 +0000
@@ -5,6 +5,7 @@
 #ifdef HAVE_TIME_H
 #include <time.h>
 #endif
+#include <inttypes.h>
 #include <sys/time.h>
 #include <sys/types.h>
 #include "sldns/sbuffer.h"
@@ -693,12 +694,22 @@ dnsc_load_local_data(struct dnsc_env* dn
     for(i=0; i<dnscenv->signed_certs_count; i++) {
         const char *ttl_class_type = " 86400 IN TXT \"";
         struct SignedCert *cert = dnscenv->signed_certs + i;
-        uint16_t rrlen = strlen(dnscenv->provider_name) +
+	uint32_t serial;
+        uint16_t rrlen;
+        char *rr;
+	memcpy(&serial, cert->serial, sizeof serial);
+	serial = htonl(serial);
+        if((unsigned)strlen(dnscenv->provider_name) >= (unsigned)0xffff0000) {
+                /* guard against integer overflow in rrlen calculation */
+                verbose(VERB_OPS, "cert #%" PRIu32 " is too long", serial);
+                continue;
+	}
+        rrlen = strlen(dnscenv->provider_name) +
                          strlen(ttl_class_type) +
                          4 * sizeof(struct SignedCert) + // worst case scenario
                          1 + // trailing double quote
                          1;
-        char *rr = malloc(rrlen);
+        rr = malloc(rrlen);
         if(!rr) {
             log_err("Could not allocate memory");
             return -2;
--- respip/respip.c
+++ respip/respip.c	2022-01-17 13:16:12.310001548 +0000
@@ -475,10 +475,16 @@ copy_rrset(const struct ub_packed_rrset_
 	if(!ck->rk.dname)
 		return NULL;
 
+	if((unsigned)data->count >= 0xffff00U)
+		return NULL; /* guard against integer overflow in dsize */
 	dsize = sizeof(struct packed_rrset_data) + data->count *
 		(sizeof(size_t)+sizeof(uint8_t*)+sizeof(time_t));
-	for(i=0; i<data->count; i++)
+	for(i=0; i<data->count; i++) {
+		if((unsigned)dsize >= 0x0fffffffU ||
+			(unsigned)data->rr_len[i] >= 0x0fffffffU)
+			return NULL; /* guard against integer overflow */
 		dsize += data->rr_len[i];
+	}
 	d = regional_alloc(region, dsize);
 	if(!d)
 		return NULL;
openSUSE Build Service is sponsored by
Places