From: Pieter Lexis <pieter.lexis@powerdns.com>
Date: Thu, 9 Nov 2017 10:09:32 +0000 (+0100)
Subject: Check return value of getTSIGKey and B64Decode
X-Git-Tag: auth-4.1.0-rc3~3^2~2
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=fba65bff16fd5decaa80df08938873725cbdfe45;p=thirdparty%2Fpdns.git

Check return value of getTSIGKey and B64Decode

This would lead to crashes if the TSIG key was referenced in
TSIG-ALLOW-FROM but the key was not in the tsigkeys table.

Closes #5931
---

diff --git a/pdns/mastercommunicator.cc b/pdns/mastercommunicator.cc
index 667cb76486..456957a80d 100644
--- a/pdns/mastercommunicator.cc
+++ b/pdns/mastercommunicator.cc
@@ -238,7 +238,10 @@ void CommunicatorClass::sendNotification(int sock, const DNSName& domain, const
   pw.getHeader()->aa = true; 
 
   if (tsigkeyname.empty() == false) {
-    B.getTSIGKey(tsigkeyname, &tsigalgorithm, &tsigsecret64);
+    if (!B.getTSIGKey(tsigkeyname, &tsigalgorithm, &tsigsecret64)) {
+      L<<Logger::Error<<"TSIG key '"<<tsigkeyname<<"' for domain '"<<domain<<"' not found"<<endl;
+      return;
+    }
     TSIGRecordContent trc;
     if (tsigalgorithm.toStringNoDot() == "hmac-md5")
       trc.d_algoName = DNSName(tsigalgorithm.toStringNoDot() + ".sig-alg.reg.int.");
@@ -248,7 +251,10 @@ void CommunicatorClass::sendNotification(int sock, const DNSName& domain, const
     trc.d_fudge = 300;
     trc.d_origID=ntohs(id);
     trc.d_eRcode=0;
-    B64Decode(tsigsecret64, tsigsecret);
+    if (B64Decode(tsigsecret64, tsigsecret) == -1) {
+      L<<Logger::Error<<"Unable to Base-64 decode TSIG key '"<<tsigkeyname<<"' for domain '"<<domain<<"'"<<endl;
+      return;
+    }
     addTSIG(pw, trc, tsigkeyname, tsigsecret, "", false);
   }