From: Ondřej Surý Date: Sun, 22 Feb 2026 05:37:33 +0000 (+0100) Subject: Importing invalid SKR file might overflow the stack buffer X-Git-Tag: v9.20.20~8^2~1 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=25006e2f176c00edab4ac596b5eaa20c9f212cb8;p=thirdparty%2Fbind9.git Importing invalid SKR file might overflow the stack buffer If an invalid SKR file is imported, reading the time from the token buffer might overflow the buffer on the local stack. This has been fixed by removing the intermediate buffer and parsing the lexer token directly. (cherry picked from commit 8ab4827a0c35128a88212237395f388c17e9ff26) --- diff --git a/bin/dnssec/dnssec-ksr.c b/bin/dnssec/dnssec-ksr.c index d5a7e7f3eb3..01df9843cc2 100644 --- a/bin/dnssec/dnssec-ksr.c +++ b/bin/dnssec/dnssec-ksr.c @@ -1211,7 +1211,6 @@ sign(ksr_ctx_t *ksr) { } if (strcmp(STR(token), ";;") == 0) { - char bundle[KSR_LINESIZE]; isc_stdtime_t next_inception; CHECK(isc_lex_gettoken(lex, opt, &token)); @@ -1245,9 +1244,8 @@ sign(ksr_ctx_t *ksr) { } /* Date and time of bundle */ - sscanf(STR(token), "%s", bundle); - next_inception = strtotime(bundle, ksr->now, ksr->now, - NULL); + next_inception = strtotime(STR(token), ksr->now, + ksr->now, NULL); if (have_bundle) { /* Sign previous bundle */ diff --git a/lib/dns/skr.c b/lib/dns/skr.c index cfe27cc54cd..6b63612dbf3 100644 --- a/lib/dns/skr.c +++ b/lib/dns/skr.c @@ -231,7 +231,6 @@ dns_skr_read(isc_mem_t *mctx, const char *filename, dns_name_t *origin, dns_rdataclass_t rdclass, dns_ttl_t dnskeyttl, dns_skr_t **skrp) { isc_result_t result; dns_skrbundle_t *bundle = NULL; - char bundlebuf[1024]; uint32_t bundle_id; isc_lex_t *lex = NULL; isc_lexspecials_t specials; @@ -304,8 +303,7 @@ dns_skr_read(isc_mem_t *mctx, const char *filename, dns_name_t *origin, } /* Create new bundle */ - sscanf(STR(token), "%s", bundlebuf); - CHECK(dns_time32_fromtext(bundlebuf, &bundle_id)); + CHECK(dns_time32_fromtext(STR(token), &bundle_id)); bundle = NULL; skrbundle_create(mctx, (isc_stdtime_t)bundle_id, &bundle);