- Fix Out of Bounds Write in sldns_bget_token_par(),

  reported by X41 D-Sec.

diff --git a/doc/Changelog b/doc/Changelog
index e604158acc892505041c9c1e86567e697c9873f5..54c69a8f7cb0162eec9fc765b741df32c627039a 100644 (file)
--- a/doc/Changelog
+++ b/doc/Changelog
@@ -15,6 +15,8 @@
          sldns_str2wire_dname_buf_origin(), reported by X41 D-Sec.
        - Fix Out of Bounds Read in sldns_str2wire_dname(),
          reported by X41 D-Sec.
+       - Fix Out of Bounds Write in sldns_bget_token_par(),
+         reported by X41 D-Sec.
 
 18 November 2019: Wouter
        - In unbound-host use separate variable for get_option to please

diff --git a/sldns/parse.c b/sldns/parse.c
index b62c405977561e75d75b7b00691970b0f98cca69..b30264e88e794ad993eb1ae1bc4d0cfceff159b3 100644 (file)
--- a/sldns/parse.c
+++ b/sldns/parse.c
@@ -325,8 +325,14 @@ sldns_bget_token_par(sldns_buffer *b, char *token, const char *delim,
                if (c == '\n' && p != 0) {
                        /* in parentheses */
                        /* do not write ' ' if we want to skip spaces */
-                       if(!(skipw && (strchr(skipw, c)||strchr(skipw, ' '))))
+                       if(!(skipw && (strchr(skipw, c)||strchr(skipw, ' ')))) {
+                               /* check for space for the space character */
+                               if (limit > 0 && (i >= limit || (size_t)(t-token) >= limit)) {
+                                       *t = '\0';
+                                       return -1;
+                               }
                                *t++ = ' ';
+                       }
                        lc = c;
                        continue;
                }