From: Ray Bellis Date: Wed, 19 Dec 2018 14:02:01 +0000 (+0000) Subject: Patches for the parsing bugs X-Git-Tag: release-1.7.1-rc1~40 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=1ded38733e280d19ab7ac16cbcc7981bd529135a;p=thirdparty%2Fldns.git Patches for the parsing bugs Hi Willem, The attached patch appears to suffice to resolve the three bugs I've found so far. I'm not saying it's a perfect fix, but with this in place I didn't manage to trigger any more crashes yet. I've started fuzzing on the wire format parser now, so far no news! Ray --- diff --git a/str2host.c b/str2host.c index 10d18925..dd5cc09d 100644 --- a/str2host.c +++ b/str2host.c @@ -614,15 +614,19 @@ ldns_str2rdf_b32_ext(ldns_rdf **rd, const char *str) uint8_t *buffer; int i; /* first byte contains length of actual b32 data */ - uint8_t len = ldns_b32_pton_calculate_size(strlen(str)); + size_t slen = strlen(str); + uint32_t len = ldns_b32_pton_calculate_size(slen); + if (len > 255) { + return LDNS_STATUS_INVALID_B32_EXT; + } buffer = LDNS_XMALLOC(uint8_t, len + 1); if(!buffer) { return LDNS_STATUS_MEM_ERR; } buffer[0] = len; - i = ldns_b32_pton_extended_hex((const char*)str, strlen(str), buffer + 1, - ldns_b32_ntop_calculate_size(strlen(str))); + i = ldns_b32_pton_extended_hex((const char*)str, slen, buffer + 1, + ldns_b32_ntop_calculate_size(slen)); if (i < 0) { LDNS_FREE(buffer); return LDNS_STATUS_INVALID_B32_EXT; @@ -1144,7 +1148,7 @@ ldns_str2rdf_wks(ldns_rdf **rd, const char *str) if (serv) { serv_port = (int) ntohs((uint16_t) serv->s_port); } else { - serv_port = atoi(token); + serv_port = (uint16_t) atoi(token); } if (serv_port / 8 >= bm_len) { uint8_t *b2 = LDNS_XREALLOC(bitmap, uint8_t, (serv_port / 8) + 1); @@ -1334,6 +1338,8 @@ ldns_str2rdf_ipseckey(ldns_rdf **rd, const char *str) status = ldns_str2rdf_aaaa(&gateway_rdf, gateway); } else if (gateway_type == 3) { status = ldns_str2rdf_dname(&gateway_rdf, gateway); + } else if (gateway_type > 3) { + status = LDNS_STATUS_INVALID_STR; } if (status != LDNS_STATUS_OK) {