From: W.C.A. Wijngaards <wouter@nlnetlabs.nl>
Date: Tue, 19 Nov 2019 15:17:06 +0000 (+0100)
Subject: - Fix Out-of-bounds Read in rr_comment_dnskey(),
X-Git-Tag: release-1.9.6rc1~61
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=07156bd5ea540dc4eb801c43e30be39cc05902f7;p=thirdparty%2Funbound.git

- Fix Out-of-bounds Read in rr_comment_dnskey(),
  reported by X41 D-Sec.
---

diff --git a/doc/Changelog b/doc/Changelog
index 823d837a1..9803ae8cc 100644
--- a/doc/Changelog
+++ b/doc/Changelog
@@ -7,6 +7,8 @@
 	  reported by X41 D-Sec.
 	- Fix Unchecked NULL Pointer in dns64_inform_super()
 	  and ipsecmod_new(), reported by X41 D-Sec.
+	- Fix Out-of-bounds Read in rr_comment_dnskey(),
+	  reported by X41 D-Sec.
 
 18 November 2019: Wouter
 	- In unbound-host use separate variable for get_option to please
diff --git a/sldns/wire2str.c b/sldns/wire2str.c
index 01ec84b3c..f4f52abeb 100644
--- a/sldns/wire2str.c
+++ b/sldns/wire2str.c
@@ -585,6 +585,7 @@ static int rr_comment_dnskey(char** s, size_t* slen, uint8_t* rr,
 	if(rrlen < dname_off + 10) return 0;
 	rdlen = sldns_read_uint16(rr+dname_off+8);
 	if(rrlen < dname_off + 10 + rdlen) return 0;
+	if(rdlen < 2) return 0;
 	rdata = rr + dname_off + 10;
 	flags = (int)sldns_read_uint16(rdata);
 	w += sldns_str_print(s, slen, " ;{");