From: W.C.A. Wijngaards <wouter@nlnetlabs.nl>
Date: Tue, 19 Nov 2019 15:54:44 +0000 (+0100)
Subject: - Fix Out of Bounds Write in sldns_bget_token_par(),
X-Git-Tag: release-1.9.6rc1~57
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=fa23ee8f31ba9a018c720ea822faaee639dc7a9c;p=thirdparty%2Funbound.git

- Fix Out of Bounds Write in sldns_bget_token_par(),
  reported by X41 D-Sec.
---

diff --git a/doc/Changelog b/doc/Changelog
index e604158ac..54c69a8f7 100644
--- a/doc/Changelog
+++ b/doc/Changelog
@@ -15,6 +15,8 @@
 	  sldns_str2wire_dname_buf_origin(), reported by X41 D-Sec.
 	- Fix Out of Bounds Read in sldns_str2wire_dname(),
 	  reported by X41 D-Sec.
+	- Fix Out of Bounds Write in sldns_bget_token_par(),
+	  reported by X41 D-Sec.
 
 18 November 2019: Wouter
 	- In unbound-host use separate variable for get_option to please
diff --git a/sldns/parse.c b/sldns/parse.c
index b62c40597..b30264e88 100644
--- a/sldns/parse.c
+++ b/sldns/parse.c
@@ -325,8 +325,14 @@ sldns_bget_token_par(sldns_buffer *b, char *token, const char *delim,
 		if (c == '\n' && p != 0) {
 			/* in parentheses */
 			/* do not write ' ' if we want to skip spaces */
-			if(!(skipw && (strchr(skipw, c)||strchr(skipw, ' '))))
+			if(!(skipw && (strchr(skipw, c)||strchr(skipw, ' ')))) {
+				/* check for space for the space character */
+				if (limit > 0 && (i >= limit || (size_t)(t-token) >= limit)) {
+					*t = '\0';
+					return -1;
+				}
 				*t++ = ' ';
+			}
 			lc = c;
 			continue;
 		}