- Fix Integer Overflow in Regional Allocator,

  reported by X41 D-Sec.

diff --git a/config.h.in b/config.h.in
index 3bec6c4fac751f826a50478275f281695585c63a..8c2aa3b94aee54eee21e3dfc112c5843b50199d3 100644 (file)
--- a/config.h.in
+++ b/config.h.in
@@ -715,6 +715,9 @@
 /* Shared data */
 #undef SHARE_DIR
 
+/* The size of `size_t', as computed by sizeof. */
+#undef SIZEOF_SIZE_T
+
 /* The size of `time_t', as computed by sizeof. */
 #undef SIZEOF_TIME_T
 

diff --git a/configure b/configure
index 2b2e97b179f3e0322be0e8e60686a9c84da02d15..17b1c2d48628147b8f92b0c0f8653ab829959c5a 100755 (executable)
--- a/configure
+++ b/configure
@@ -15069,6 +15069,39 @@ cat >>confdefs.h <<_ACEOF
 _ACEOF
 
 
+# The cast to long int works around a bug in the HP C Compiler
+# version HP92453-01 B.11.11.23709.GP, which incorrectly rejects
+# declarations like `int a3[[(sizeof (unsigned char)) >= 0]];'.
+# This bug is HP SR number 8606223364.
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking size of size_t" >&5
+$as_echo_n "checking size of size_t... " >&6; }
+if ${ac_cv_sizeof_size_t+:} false; then :
+  $as_echo_n "(cached) " >&6
+else
+  if ac_fn_c_compute_int "$LINENO" "(long int) (sizeof (size_t))" "ac_cv_sizeof_size_t"        "$ac_includes_default"; then :
+
+else
+  if test "$ac_cv_type_size_t" = yes; then
+     { { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5
+$as_echo "$as_me: error: in \`$ac_pwd':" >&2;}
+as_fn_error 77 "cannot compute sizeof (size_t)
+See \`config.log' for more details" "$LINENO" 5; }
+   else
+     ac_cv_sizeof_size_t=0
+   fi
+fi
+
+fi
+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_sizeof_size_t" >&5
+$as_echo "$ac_cv_sizeof_size_t" >&6; }
+
+
+
+cat >>confdefs.h <<_ACEOF
+#define SIZEOF_SIZE_T $ac_cv_sizeof_size_t
+_ACEOF
+
+
 
 # add option to disable the evil rpath
 

diff --git a/configure.ac b/configure.ac
index b4e40255861bb90725209dd861bbccb0dbc2a6fc..3d58e36e52df8e6ee80adcd55218f6af25a41a6c 100644 (file)
--- a/configure.ac
+++ b/configure.ac
@@ -432,6 +432,7 @@ AC_INCLUDES_DEFAULT
 # endif
 #endif
 ])
+AC_CHECK_SIZEOF(size_t)
 
 # add option to disable the evil rpath
 ACX_ARG_RPATH

diff --git a/doc/Changelog b/doc/Changelog
index 7a69009299380ec1ed0c6d6487ea7e4e4fc76b85..a1f3a4445b06ba2ccc739d25aa0cbf0616e9e48a 100644 (file)
--- a/doc/Changelog
+++ b/doc/Changelog
@@ -3,6 +3,8 @@
        - 1.9.5 is 1.9.4 with bugfix, trunk is 1.9.6 in development.
        - Fix authzone printout buffer length check.
        - Fixes to please lint checks.
+       - Fix Integer Overflow in Regional Allocator,
+         reported by X41 D-Sec.
 
 18 November 2019: Wouter
        - In unbound-host use separate variable for get_option to please

diff --git a/util/regional.c b/util/regional.c
index 899a54edbddddba9f101c84bb6dcb172b8d28590..5be09eb46dc71b11916743c8f7de73792a706a32 100644 (file)
--- a/util/regional.c
+++ b/util/regional.c
@@ -120,8 +120,18 @@ regional_destroy(struct regional *r)
 void *
 regional_alloc(struct regional *r, size_t size)
 {
-       size_t a = ALIGN_UP(size, ALIGNMENT);
+       size_t a;
        void *s;
+       if(
+#if SIZEOF_SIZE_T == 8
+               (unsigned long long)size >= 0xffffffffffffff00ULL
+#else
+               (unsigned)size >= (unsigned)0xffffff00UL
+#endif
+               )
+               return NULL; /* protect against integer overflow in
+                       malloc and ALIGN_UP */
+       a = ALIGN_UP(size, ALIGNMENT);
        /* large objects */
        if(a > REGIONAL_LARGE_OBJECT_SIZE) {
                s = malloc(ALIGNMENT + size);