From: Yorgos Thessalonikefs <yorgos@nlnetlabs.nl>
Date: Wed, 3 Apr 2024 11:37:57 +0000 (+0200)
Subject: - Fix #1035: Potential Bug while parsing port from the "stub-host"
X-Git-Tag: release-1.20.0rc1~40
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=91e8e0e51168c490ab871a92d7bbed450e52cc94;p=thirdparty%2Funbound.git

- Fix #1035: Potential Bug while parsing port from the "stub-host"
  string; also affected forward-zones and remote-control host
  directives.
---

diff --git a/doc/Changelog b/doc/Changelog
index db46a1a8e..f4a5d1cbd 100644
--- a/doc/Changelog
+++ b/doc/Changelog
@@ -4,6 +4,11 @@
 	- For #1040: adjust error text and disallow negative ports in other
 	  parts of cfg_mark_ports.
 
+3 April 2024: Yorgos
+	- Fix #1035: Potential Bug while parsing port from the "stub-host"
+	  string; also affected forward-zones and remote-control host
+	  directives.
+
 28 March 2024: Wouter
 	- Fix #1034: DoT forward-zone via unbound-control.
 	- Fix for crypto related failures to have a better error string.
diff --git a/util/net_help.c b/util/net_help.c
index f38d843ed..d2218ea88 100644
--- a/util/net_help.c
+++ b/util/net_help.c
@@ -77,6 +77,8 @@
 
 /** max length of an IP address (the address portion) that we allow */
 #define MAX_ADDR_STRLEN 128 /* characters */
+/** max length of a hostname (with port and tls name) that we allow */
+#define MAX_HOST_STRLEN (LDNS_MAX_DOMAINLEN * 3) /* characters */
 /** default value for EDNS ADVERTISED size */
 uint16_t EDNS_ADVERTISED_SIZE = 4096;
 
@@ -486,28 +488,38 @@ uint8_t* authextstrtodname(char* str, int* port, char** auth_name)
 	*port = UNBOUND_DNS_PORT;
 	*auth_name = NULL;
 	if((s=strchr(str, '@'))) {
+		char buf[MAX_HOST_STRLEN];
+		size_t len = (size_t)(s-str);
 		char* hash = strchr(s+1, '#');
 		if(hash) {
 			*auth_name = hash+1;
 		} else {
 			*auth_name = NULL;
 		}
+		if(len >= MAX_HOST_STRLEN) {
+			return NULL;
+		}
+		(void)strlcpy(buf, str, sizeof(buf));
+		buf[len] = 0;
 		*port = atoi(s+1);
 		if(*port == 0) {
 			if(!hash && strcmp(s+1,"0")!=0)
-				return 0;
+				return NULL;
 			if(hash && strncmp(s+1,"0#",2)!=0)
-				return 0;
+				return NULL;
 		}
-		*s = 0;
-		dname = sldns_str2wire_dname(str, &dname_len);
-		*s = '@';
+		dname = sldns_str2wire_dname(buf, &dname_len);
 	} else if((s=strchr(str, '#'))) {
+		char buf[MAX_HOST_STRLEN];
+		size_t len = (size_t)(s-str);
+		if(len >= MAX_HOST_STRLEN) {
+			return NULL;
+		}
+		(void)strlcpy(buf, str, sizeof(buf));
+		buf[len] = 0;
 		*port = UNBOUND_DNS_OVER_TLS_PORT;
 		*auth_name = s+1;
-		*s = 0;
-		dname = sldns_str2wire_dname(str, &dname_len);
-		*s = '#';
+		dname = sldns_str2wire_dname(buf, &dname_len);
 	} else {
 		dname = sldns_str2wire_dname(str, &dname_len);
 	}