From: W.C.A. Wijngaards <wouter@nlnetlabs.nl>
Date: Wed, 8 Jan 2020 10:08:16 +0000 (+0100)
Subject: - Fix out-of-bounds null-byte write in sldns_bget_token_par while
X-Git-Tag: release-1.10.0rc1~60
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=05a5dc2d0d7d1c9054af48913079abebff06a5a1;p=thirdparty%2Funbound.git

- Fix out-of-bounds null-byte write in sldns_bget_token_par while
  parsing type WKS, reported by Luis Merino from X41 D-Sec.
---

diff --git a/doc/Changelog b/doc/Changelog
index 92b036db3..4f80bbe95 100644
--- a/doc/Changelog
+++ b/doc/Changelog
@@ -1,5 +1,7 @@
 8 January 2020: Wouter
 	- Fix 'make test' to work for --disable-sha1 configure option.
+	- Fix out-of-bounds null-byte write in sldns_bget_token_par while
+	  parsing type WKS, reported by Luis Merino from X41 D-Sec.
 
 6 January 2020: George
 	- Downgrade compat/getentropy_solaris.c to version 1.4 from OpenBSD.
diff --git a/sldns/parse.c b/sldns/parse.c
index b30264e88..2f9a15e01 100644
--- a/sldns/parse.c
+++ b/sldns/parse.c
@@ -120,7 +120,7 @@ sldns_fget_token_l(FILE *f, char *token, const char *delim, size_t limit, int *l
 			if (line_nr) {
 				*line_nr = *line_nr + 1;
 			}
-			if (limit > 0 && (i >= limit || (size_t)(t-token) >= limit)) {
+			if (limit > 0 && (i > limit || (size_t)(t-token) > limit)) {
 				*t = '\0';
 				return -1;
 			}
@@ -141,7 +141,7 @@ sldns_fget_token_l(FILE *f, char *token, const char *delim, size_t limit, int *l
 		if (c != '\0' && c != '\n') {
 			i++;
 		}
-		if (limit > 0 && (i >= limit || (size_t)(t-token) >= limit)) {
+		if (limit > 0 && (i > limit || (size_t)(t-token) > limit)) {
 			*t = '\0';
 			return -1;
 		}
@@ -327,7 +327,7 @@ sldns_bget_token_par(sldns_buffer *b, char *token, const char *delim,
 			/* do not write ' ' if we want to skip spaces */
 			if(!(skipw && (strchr(skipw, c)||strchr(skipw, ' ')))) {
 				/* check for space for the space character */
-				if (limit > 0 && (i >= limit || (size_t)(t-token) >= limit)) {
+				if (limit > 0 && (i > limit || (size_t)(t-token) > limit)) {
 					*t = '\0';
 					return -1;
 				}
@@ -354,7 +354,7 @@ sldns_bget_token_par(sldns_buffer *b, char *token, const char *delim,
 		}
 
 		i++;
-		if (limit > 0 && (i >= limit || (size_t)(t-token) >= limit)) {
+		if (limit > 0 && (i > limit || (size_t)(t-token) > limit)) {
 			*t = '\0';
 			return -1;
 		}