- Fix out-of-bounds null-byte write in sldns_bget_token_par while

  parsing type WKS, reported by Luis Merino from X41 D-Sec.

diff --git a/doc/Changelog b/doc/Changelog
index 92b036db3ed754ffe0b7ff1998dbfe5ae9035f86..4f80bbe958f31f29fb46102c1c68d649f711fd48 100644 (file)
--- a/doc/Changelog
+++ b/doc/Changelog
@@ -1,5 +1,7 @@
 8 January 2020: Wouter
        - Fix 'make test' to work for --disable-sha1 configure option.
+       - Fix out-of-bounds null-byte write in sldns_bget_token_par while
+         parsing type WKS, reported by Luis Merino from X41 D-Sec.
 
 6 January 2020: George
        - Downgrade compat/getentropy_solaris.c to version 1.4 from OpenBSD.

diff --git a/sldns/parse.c b/sldns/parse.c
index b30264e88e794ad993eb1ae1bc4d0cfceff159b3..2f9a15e010d6ab40befe6c93d79c422350eb9800 100644 (file)
--- a/sldns/parse.c
+++ b/sldns/parse.c
@@ -120,7 +120,7 @@ sldns_fget_token_l(FILE *f, char *token, const char *delim, size_t limit, int *l
                        if (line_nr) {
                                *line_nr = *line_nr + 1;
                        }
-                       if (limit > 0 && (i >= limit || (size_t)(t-token) >= limit)) {
+                       if (limit > 0 && (i > limit || (size_t)(t-token) > limit)) {
                                *t = '\0';
                                return -1;
                        }
@@ -141,7 +141,7 @@ sldns_fget_token_l(FILE *f, char *token, const char *delim, size_t limit, int *l
                if (c != '\0' && c != '\n') {
                        i++;
                }
-               if (limit > 0 && (i >= limit || (size_t)(t-token) >= limit)) {
+               if (limit > 0 && (i > limit || (size_t)(t-token) > limit)) {
                        *t = '\0';
                        return -1;
                }
@@ -327,7 +327,7 @@ sldns_bget_token_par(sldns_buffer *b, char *token, const char *delim,
                        /* do not write ' ' if we want to skip spaces */
                        if(!(skipw && (strchr(skipw, c)||strchr(skipw, ' ')))) {
                                /* check for space for the space character */
-                               if (limit > 0 && (i >= limit || (size_t)(t-token) >= limit)) {
+                               if (limit > 0 && (i > limit || (size_t)(t-token) > limit)) {
                                        *t = '\0';
                                        return -1;
                                }
@@ -354,7 +354,7 @@ sldns_bget_token_par(sldns_buffer *b, char *token, const char *delim,
                }
 
                i++;
-               if (limit > 0 && (i >= limit || (size_t)(t-token) >= limit)) {
+               if (limit > 0 && (i > limit || (size_t)(t-token) > limit)) {
                        *t = '\0';
                        return -1;
                }