Importing invalid SKR file might overflow the stack buffer

If an invalid SKR file is imported, reading the time from the token
buffer might overflow the buffer on the local stack.  This has been
fixed by removing the intermediate buffer and parsing the lexer token
directly.

(cherry picked from commit 8ab4827a0c35128a88212237395f388c17e9ff26)

diff --git a/bin/dnssec/dnssec-ksr.c b/bin/dnssec/dnssec-ksr.c
index d5a7e7f3eb3614a77481c843fc32906f6dc9b60e..01df9843cc21eb9e8482ee4d137cb58231408790 100644 (file)
--- a/bin/dnssec/dnssec-ksr.c
+++ b/bin/dnssec/dnssec-ksr.c
@@ -1211,7 +1211,6 @@ sign(ksr_ctx_t *ksr) {
                }
 
                if (strcmp(STR(token), ";;") == 0) {
-                       char bundle[KSR_LINESIZE];
                        isc_stdtime_t next_inception;
 
                        CHECK(isc_lex_gettoken(lex, opt, &token));
@@ -1245,9 +1244,8 @@ sign(ksr_ctx_t *ksr) {
                        }
 
                        /* Date and time of bundle */
-                       sscanf(STR(token), "%s", bundle);
-                       next_inception = strtotime(bundle, ksr->now, ksr->now,
-                                                  NULL);
+                       next_inception = strtotime(STR(token), ksr->now,
+                                                  ksr->now, NULL);
 
                        if (have_bundle) {
                                /* Sign previous bundle */

diff --git a/lib/dns/skr.c b/lib/dns/skr.c
index cfe27cc54cd4fec09ea8fc19d53e18a26ed05d94..6b63612dbf397ece6e7ab285253f8052e8c0002f 100644 (file)
--- a/lib/dns/skr.c
+++ b/lib/dns/skr.c
@@ -231,7 +231,6 @@ dns_skr_read(isc_mem_t *mctx, const char *filename, dns_name_t *origin,
             dns_rdataclass_t rdclass, dns_ttl_t dnskeyttl, dns_skr_t **skrp) {
        isc_result_t result;
        dns_skrbundle_t *bundle = NULL;
-       char bundlebuf[1024];
        uint32_t bundle_id;
        isc_lex_t *lex = NULL;
        isc_lexspecials_t specials;
@@ -304,8 +303,7 @@ dns_skr_read(isc_mem_t *mctx, const char *filename, dns_name_t *origin,
                        }
 
                        /* Create new bundle */
-                       sscanf(STR(token), "%s", bundlebuf);
-                       CHECK(dns_time32_fromtext(bundlebuf, &bundle_id));
+                       CHECK(dns_time32_fromtext(STR(token), &bundle_id));
                        bundle = NULL;
                        skrbundle_create(mctx, (isc_stdtime_t)bundle_id,
                                         &bundle);