From: Florian Weimer <fweimer@redhat.com>
Date: Fri, 19 Jun 2026 16:22:20 +0000 (+0200)
Subject: resolv: More types as unknown in ns_sprintrrf (CVE-2026-5435)
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=ca44a6609c29a683b03575fa035c6d17aa591e72;p=thirdparty%2Fglibc.git

resolv: More types as unknown in ns_sprintrrf (CVE-2026-5435)

Specifically, CERT, TKEY, TSIG, OPT.  This removes the buggy
implementations of TSIG, fixing bug 34033, and partially
fixing bug 34069.

Reviewed-by: Carlos O'Donell <carlos@redhat.com>
Reviewed-by: Adhemerval Zanella <adhemerval.zanella@linaro.org>
---

diff --git a/resolv/ns_print.c b/resolv/ns_print.c
index e58df5f35a..ab68bf2cb7 100644
--- a/resolv/ns_print.c
+++ b/resolv/ns_print.c
@@ -464,96 +464,6 @@ ns_sprintrrf(const u_char *msg, size_t msglen,
 		break;
 	    }
 
-	case ns_t_cert: {
-		u_int c_type, key_tag, alg;
-		int n;
-		unsigned int siz;
-		char base64_cert[8192], tmp[40];
-		const char *leader;
-
-		c_type  = ns_get16(rdata); rdata += NS_INT16SZ;
-		key_tag = ns_get16(rdata); rdata += NS_INT16SZ;
-		alg = (u_int) *rdata++;
-
-		len = SPRINTF((tmp, "%d %d %d ", c_type, key_tag, alg));
-		T(addstr(tmp, len, &buf, &buflen));
-		siz = (edata-rdata)*4/3 + 4; /* "+4" accounts for trailing \0 */
-		if (siz > sizeof(base64_cert) * 3/4) {
-			const char *str = "record too long to print";
-			T(addstr(str, strlen(str), &buf, &buflen));
-		}
-		else {
-			len = b64_ntop(rdata, edata-rdata, base64_cert, siz);
-
-			if (len < 0)
-				goto formerr;
-			else if (len > 15) {
-				T(addstr(" (", 2, &buf, &buflen));
-				leader = "\n\t\t";
-				spaced = 0;
-			}
-			else
-				leader = " ";
-
-			for (n = 0; n < len; n += 48) {
-				T(addstr(leader, strlen(leader),
-					 &buf, &buflen));
-				T(addstr(base64_cert + n, MIN(len - n, 48),
-					 &buf, &buflen));
-			}
-			if (len > 15)
-				T(addstr(" )", 2, &buf, &buflen));
-		}
-		break;
-	    }
-
-	case ns_t_tkey: {
-		/* KJD - need to complete this */
-		u_long t;
-		int mode, err, keysize;
-
-		/* Algorithm name. */
-		T(addname(msg, msglen, &rdata, origin, &buf, &buflen));
-		T(addstr(" ", 1, &buf, &buflen));
-
-		/* Inception. */
-		t = ns_get32(rdata);  rdata += NS_INT32SZ;
-		len = SPRINTF((tmp, "%lu ", t));
-		T(addstr(tmp, len, &buf, &buflen));
-
-		/* Expiration. */
-		t = ns_get32(rdata);  rdata += NS_INT32SZ;
-		len = SPRINTF((tmp, "%lu ", t));
-		T(addstr(tmp, len, &buf, &buflen));
-
-		/* Mode , Error, Key Size. */
-		/* Priority, Weight, Port. */
-		mode = ns_get16(rdata);  rdata += NS_INT16SZ;
-		err  = ns_get16(rdata);  rdata += NS_INT16SZ;
-		keysize  = ns_get16(rdata);  rdata += NS_INT16SZ;
-		len = SPRINTF((tmp, "%u %u %u ", mode, err, keysize));
-		T(addstr(tmp, len, &buf, &buflen));
-
-		/* XXX need to dump key, print otherdata length & other data */
-		break;
-	    }
-
-	case ns_t_tsig: {
-		/* BEW - need to complete this */
-		int n;
-
-		T(len = addname(msg, msglen, &rdata, origin, &buf, &buflen));
-		T(addstr(" ", 1, &buf, &buflen));
-		rdata += 8; /*%< time */
-		n = ns_get16(rdata); rdata += INT16SZ;
-		rdata += n; /*%< sig */
-		n = ns_get16(rdata); rdata += INT16SZ; /*%< original id */
-		sprintf(buf, "%d", ns_get16(rdata));
-		rdata += INT16SZ;
-		addlen(strlen(buf), &buf, &buflen);
-		break;
-	    }
-
 	case ns_t_a6: {
 		struct in6_addr a;
 		int pbyte, pbit;
@@ -588,11 +498,6 @@ ns_sprintrrf(const u_char *msg, size_t msglen,
 		break;
 	    }
 
-	case ns_t_opt: {
-		len = SPRINTF((tmp, "%u bytes", class));
-		T(addstr(tmp, len, &buf, &buflen));
-		break;
-	    }
 	default:
 		comment = "";
 		goto hexify;