);
continue;
}
+ if((unsigned)strlen(dnscenv->provider_name) >= (unsigned)0xffff0000) {
+ /* guard against integer overflow in rrlen calculation */
+ verbose(VERB_OPS, "cert #%" PRIu32 " is too long", serial);
+ continue
+ }
rrlen = strlen(dnscenv->provider_name) +
strlen(ttl_class_type) +
4 * sizeof(struct SignedCert) + // worst case scenario
and ipsecmod_new(), reported by X41 D-Sec.
- Fix Out-of-bounds Read in rr_comment_dnskey(),
reported by X41 D-Sec.
+ - Fix Integer Overflows in Size Calculations,
+ reported by X41 D-Sec.
18 November 2019: Wouter
- In unbound-host use separate variable for get_option to please
if(!ck->rk.dname)
return NULL;
+ if((unsigned)data->count >= 0xffff00U)
+ return NULL; /* guard against integer overflow in dsize */
dsize = sizeof(struct packed_rrset_data) + data->count *
(sizeof(size_t)+sizeof(uint8_t*)+sizeof(time_t));
- for(i=0; i<data->count; i++)
+ for(i=0; i<data->count; i++) {
+ if((unsigned)dsize >= 0x0fffffffU ||
+ (unsigned)data->rr_len[i] >= 0x0fffffffU)
+ return NULL; /* guard against integer overflow */
dsize += data->rr_len[i];
+ }
d = regional_alloc(region, dsize);
if(!d)
return NULL;
projects / thirdparty / unbound.git / commitdiff
