From: W.C.A. Wijngaards Date: Tue, 19 Nov 2019 14:38:05 +0000 (+0100) Subject: - Fix Integer Overflow in Regional Allocator, X-Git-Tag: release-1.9.6rc1~63 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=226298bbd36f1f0fd9608e98c2ae85988b7bbdb8;p=thirdparty%2Funbound.git - Fix Integer Overflow in Regional Allocator, reported by X41 D-Sec. --- diff --git a/config.h.in b/config.h.in index 3bec6c4fa..8c2aa3b94 100644 --- a/config.h.in +++ b/config.h.in @@ -715,6 +715,9 @@ /* Shared data */ #undef SHARE_DIR +/* The size of `size_t', as computed by sizeof. */ +#undef SIZEOF_SIZE_T + /* The size of `time_t', as computed by sizeof. */ #undef SIZEOF_TIME_T diff --git a/configure b/configure index 2b2e97b17..17b1c2d48 100755 --- a/configure +++ b/configure @@ -15069,6 +15069,39 @@ cat >>confdefs.h <<_ACEOF _ACEOF +# The cast to long int works around a bug in the HP C Compiler +# version HP92453-01 B.11.11.23709.GP, which incorrectly rejects +# declarations like `int a3[[(sizeof (unsigned char)) >= 0]];'. +# This bug is HP SR number 8606223364. +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking size of size_t" >&5 +$as_echo_n "checking size of size_t... " >&6; } +if ${ac_cv_sizeof_size_t+:} false; then : + $as_echo_n "(cached) " >&6 +else + if ac_fn_c_compute_int "$LINENO" "(long int) (sizeof (size_t))" "ac_cv_sizeof_size_t" "$ac_includes_default"; then : + +else + if test "$ac_cv_type_size_t" = yes; then + { { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5 +$as_echo "$as_me: error: in \`$ac_pwd':" >&2;} +as_fn_error 77 "cannot compute sizeof (size_t) +See \`config.log' for more details" "$LINENO" 5; } + else + ac_cv_sizeof_size_t=0 + fi +fi + +fi +{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_sizeof_size_t" >&5 +$as_echo "$ac_cv_sizeof_size_t" >&6; } + + + +cat >>confdefs.h <<_ACEOF +#define SIZEOF_SIZE_T $ac_cv_sizeof_size_t +_ACEOF + + # add option to disable the evil rpath diff --git a/configure.ac b/configure.ac index b4e402558..3d58e36e5 100644 --- a/configure.ac +++ b/configure.ac @@ -432,6 +432,7 @@ AC_INCLUDES_DEFAULT # endif #endif ]) +AC_CHECK_SIZEOF(size_t) # add option to disable the evil rpath ACX_ARG_RPATH diff --git a/doc/Changelog b/doc/Changelog index 7a6900929..a1f3a4445 100644 --- a/doc/Changelog +++ b/doc/Changelog @@ -3,6 +3,8 @@ - 1.9.5 is 1.9.4 with bugfix, trunk is 1.9.6 in development. - Fix authzone printout buffer length check. - Fixes to please lint checks. + - Fix Integer Overflow in Regional Allocator, + reported by X41 D-Sec. 18 November 2019: Wouter - In unbound-host use separate variable for get_option to please diff --git a/util/regional.c b/util/regional.c index 899a54edb..5be09eb46 100644 --- a/util/regional.c +++ b/util/regional.c @@ -120,8 +120,18 @@ regional_destroy(struct regional *r) void * regional_alloc(struct regional *r, size_t size) { - size_t a = ALIGN_UP(size, ALIGNMENT); + size_t a; void *s; + if( +#if SIZEOF_SIZE_T == 8 + (unsigned long long)size >= 0xffffffffffffff00ULL +#else + (unsigned)size >= (unsigned)0xffffff00UL +#endif + ) + return NULL; /* protect against integer overflow in + malloc and ALIGN_UP */ + a = ALIGN_UP(size, ALIGNMENT); /* large objects */ if(a > REGIONAL_LARGE_OBJECT_SIZE) { s = malloc(ALIGNMENT + size);