From: W.C.A. Wijngaards <wouter@nlnetlabs.nl>
Date: Thu, 26 Sep 2019 07:27:29 +0000 (+0200)
Subject: * bugfix #51: Heap Out-of-bound Read vulnerability in
X-Git-Tag: 1.8.0-rc.1~79^2~2
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=136ec420437041fe13f344a2053e774f9050cc38;p=thirdparty%2Fldns.git

* bugfix #51: Heap Out-of-bound Read vulnerability in
  ldns_nsec3_salt_data reported by pokerfacett.
---

diff --git a/Changelog b/Changelog
index 530fad89..e4685605 100644
--- a/Changelog
+++ b/Changelog
@@ -1,6 +1,8 @@
 ...
 	* bugfix #50: heap Out-of-bound Read vulnerability in
 	  rr_frm_str_internal reported by pokerfacett.
+	* bugfix #51: Heap Out-of-bound Read vulnerability in
+	  ldns_nsec3_salt_data reported by pokerfacett.
 
 1.7.1	2019-07-26
 	* bugfix: Manage verification paths for OpenSSL >= 1.1.0
diff --git a/dnssec.c b/dnssec.c
index 52c35ee7..482cefd6 100644
--- a/dnssec.c
+++ b/dnssec.c
@@ -1332,6 +1332,8 @@ ldns_nsec3_salt_data(const ldns_rr *nsec3_rr)
 	ldns_rdf *salt_rdf = ldns_nsec3_salt(nsec3_rr);
 	if (salt_rdf && ldns_rdf_size(salt_rdf) > 0) {
 	    	salt_length = ldns_rdf_data(salt_rdf)[0];
+		if((size_t)salt_length+1 > ldns_rdf_size(salt_rdf))
+			return NULL;
 		salt = LDNS_XMALLOC(uint8_t, salt_length);
                 if(!salt) return NULL;
 		memcpy(salt, &ldns_rdf_data(salt_rdf)[1], salt_length);