From: W.C.A. Wijngaards <wouter@nlnetlabs.nl>
Date: Tue, 19 Nov 2019 15:46:33 +0000 (+0100)
Subject: - Fix Out of Bounds Read in sldns_str2wire_dname(),
X-Git-Tag: release-1.9.6rc1~58
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=51c23b02099b5c279a8459641727adb198078193;p=thirdparty%2Funbound.git

- Fix Out of Bounds Read in sldns_str2wire_dname(),
  reported by X41 D-Sec.
---

diff --git a/doc/Changelog b/doc/Changelog
index 509b74b87..e604158ac 100644
--- a/doc/Changelog
+++ b/doc/Changelog
@@ -13,6 +13,8 @@
 	  reported by X41 D-Sec.
 	- Fix Integer Overflow to Buffer Overflow in
 	  sldns_str2wire_dname_buf_origin(), reported by X41 D-Sec.
+	- Fix Out of Bounds Read in sldns_str2wire_dname(),
+	  reported by X41 D-Sec.
 
 18 November 2019: Wouter
 	- In unbound-host use separate variable for get_option to please
diff --git a/sldns/str2wire.c b/sldns/str2wire.c
index f08f107c6..7c91bbe3d 100644
--- a/sldns/str2wire.c
+++ b/sldns/str2wire.c
@@ -172,7 +172,9 @@ uint8_t* sldns_str2wire_dname(const char* str, size_t* len)
 	uint8_t dname[LDNS_MAX_DOMAINLEN+1];
 	*len = sizeof(dname);
 	if(sldns_str2wire_dname_buf(str, dname, len) == 0) {
-		uint8_t* r = (uint8_t*)malloc(*len);
+		uint8_t* r;
+		if(*len > sizeof(dname)) return NULL;
+		r = (uint8_t*)malloc(*len);
 		if(r) return memcpy(r, dname, *len);
 	}
 	*len = 0;