* bugfix #51: Heap Out-of-bound Read vulnerability in

author W.C.A. Wijngaards <wouter@nlnetlabs.nl>

Thu, 26 Sep 2019 07:27:29 +0000 (09:27 +0200)

committer W.C.A. Wijngaards <wouter@nlnetlabs.nl>

Thu, 26 Sep 2019 07:27:29 +0000 (09:27 +0200)
author W.C.A. Wijngaards <wouter@nlnetlabs.nl>
Thu, 26 Sep 2019 07:27:29 +0000 (09:27 +0200)
committer W.C.A. Wijngaards <wouter@nlnetlabs.nl>
Thu, 26 Sep 2019 07:27:29 +0000 (09:27 +0200)
diff --git a/Changelog b/Changelog

index 530fad89d5ce37fa5b905543d10c477529909b2c..e46856056cd49020877d3f3fd027a19457968947 100644 (file)
--- a/Changelog
+++ b/Changelog
@@ -1,6 +1,8 @@
  ...
         * bugfix #50: heap Out-of-bound Read vulnerability in
           rr_frm_str_internal reported by pokerfacett.
+       * bugfix #51: Heap Out-of-bound Read vulnerability in
+         ldns_nsec3_salt_data reported by pokerfacett.
  
  1.7.1  2019-07-26
         * bugfix: Manage verification paths for OpenSSL >= 1.1.0
diff --git a/dnssec.c b/dnssec.c

index 52c35ee760f9426352bce7f3d64034f3324bdaf4..482cefd6ff7934d3cfc8be6eba2738f65249256b 100644 (file)
--- a/dnssec.c
+++ b/dnssec.c
@@ -1332,6 +1332,8 @@ ldns_nsec3_salt_data(const ldns_rr *nsec3_rr)
         ldns_rdf *salt_rdf = ldns_nsec3_salt(nsec3_rr);
         if (salt_rdf && ldns_rdf_size(salt_rdf) > 0) {
                 salt_length = ldns_rdf_data(salt_rdf)[0];
+               if((size_t)salt_length+1 > ldns_rdf_size(salt_rdf))
+                       return NULL;
                 salt = LDNS_XMALLOC(uint8_t, salt_length);
                  if(!salt) return NULL;
                 memcpy(salt, &ldns_rdf_data(salt_rdf)[1], salt_length);
author	W.C.A. Wijngaards <wouter@nlnetlabs.nl>
	Thu, 26 Sep 2019 07:27:29 +0000 (09:27 +0200)
committer	W.C.A. Wijngaards <wouter@nlnetlabs.nl>
	Thu, 26 Sep 2019 07:27:29 +0000 (09:27 +0200)
Changelog		patch \| blob \| blame \| history
dnssec.c		patch \| blob \| blame \| history