From: W.C.A. Wijngaards <wouter@nlnetlabs.nl>
Date: Tue, 3 Dec 2019 15:10:34 +0000 (+0100)
Subject: - Fix Out of Bounds Write in sldns_b64_pton(),
X-Git-Tag: release-1.9.6rc1~17
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=c99438c6a1b19d71ed07f152f245f15e16ff09d0;p=thirdparty%2Funbound.git

- Fix Out of Bounds Write in sldns_b64_pton(),
  fixed by check in sldns_str2wire_int16_data_buf(),
  reported by X41 D-Sec.
---

diff --git a/doc/Changelog b/doc/Changelog
index 5c4cb3eb1..00e20279f 100644
--- a/doc/Changelog
+++ b/doc/Changelog
@@ -12,6 +12,9 @@
 	  reported by X41 D-Sec.
 	- Fix Out of Bounds Write in sldns_str2wire_str_buf(),
 	  reported by X41 D-Sec.
+	- Fix Out of Bounds Write in sldns_b64_pton(),
+	  fixed by check in sldns_str2wire_int16_data_buf(),
+	  reported by X41 D-Sec.
 
 2 December 2019: Wouter
 	- Merge pull request #122 from he32: In tcp_callback_writer(),
diff --git a/sldns/str2wire.c b/sldns/str2wire.c
index eea9a38b8..358e45345 100644
--- a/sldns/str2wire.c
+++ b/sldns/str2wire.c
@@ -2104,6 +2104,8 @@ int sldns_str2wire_int16_data_buf(const char* str, uint8_t* rd, size_t* len)
 	char* s;
 	int n;
 	n = strtol(str, &s, 10);
+	if(n < 0) /* negative number not allowed */
+		return LDNS_WIREPARSE_ERR_SYNTAX;
 	if(*len < ((size_t)n)+2)
 		return LDNS_WIREPARSE_ERR_BUFFER_TOO_SMALL;
 	if(n > 65535)