File bsc1185389.90_CVE-2019-25038.9_02080f6b.patch of Package libunbound-devel-mini.22468
From 02080f6b180232f43b77f403d0c038e9360a460f Mon Sep 17 00:00:00 2001
From: "W.C.A. Wijngaards" <wouter@nlnetlabs.nl>
Date: Tue, 19 Nov 2019 16:32:40 +0100
Subject: [PATCH] - Fix Integer Overflows in Size Calculations, reported by
X41 D-Sec.
---
dnscrypt/dnscrypt.c | 15 +++++++++++++--
respip/respip.c | 8 +++++++-
2 files changed, 20 insertions(+), 3 deletions(-)
--- dnscrypt/dnscrypt.c
+++ dnscrypt/dnscrypt.c 2022-01-17 13:21:48.251587868 +0000
@@ -5,6 +5,7 @@
#ifdef HAVE_TIME_H
#include <time.h>
#endif
+#include <inttypes.h>
#include <sys/time.h>
#include <sys/types.h>
#include "sldns/sbuffer.h"
@@ -693,12 +694,22 @@ dnsc_load_local_data(struct dnsc_env* dn
for(i=0; i<dnscenv->signed_certs_count; i++) {
const char *ttl_class_type = " 86400 IN TXT \"";
struct SignedCert *cert = dnscenv->signed_certs + i;
- uint16_t rrlen = strlen(dnscenv->provider_name) +
+ uint32_t serial;
+ uint16_t rrlen;
+ char *rr;
+ memcpy(&serial, cert->serial, sizeof serial);
+ serial = htonl(serial);
+ if((unsigned)strlen(dnscenv->provider_name) >= (unsigned)0xffff0000) {
+ /* guard against integer overflow in rrlen calculation */
+ verbose(VERB_OPS, "cert #%" PRIu32 " is too long", serial);
+ continue;
+ }
+ rrlen = strlen(dnscenv->provider_name) +
strlen(ttl_class_type) +
4 * sizeof(struct SignedCert) + // worst case scenario
1 + // trailing double quote
1;
- char *rr = malloc(rrlen);
+ rr = malloc(rrlen);
if(!rr) {
log_err("Could not allocate memory");
return -2;
--- respip/respip.c
+++ respip/respip.c 2022-01-17 13:16:12.310001548 +0000
@@ -475,10 +475,16 @@ copy_rrset(const struct ub_packed_rrset_
if(!ck->rk.dname)
return NULL;
+ if((unsigned)data->count >= 0xffff00U)
+ return NULL; /* guard against integer overflow in dsize */
dsize = sizeof(struct packed_rrset_data) + data->count *
(sizeof(size_t)+sizeof(uint8_t*)+sizeof(time_t));
- for(i=0; i<data->count; i++)
+ for(i=0; i<data->count; i++) {
+ if((unsigned)dsize >= 0x0fffffffU ||
+ (unsigned)data->rr_len[i] >= 0x0fffffffU)
+ return NULL; /* guard against integer overflow */
dsize += data->rr_len[i];
+ }
d = regional_alloc(region, dsize);
if(!d)
return NULL;