From: Evan Hunt <each@isc.org>
Date: Wed, 11 Oct 2023 18:03:00 +0000 (-0700)
Subject: check chain length is nonzero before examining last entry
X-Git-Tag: v9.19.18~45^2
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=3a206da456723cc38a8a27e1edde1e48da33489a;p=thirdparty%2Fbind9.git

check chain length is nonzero before examining last entry

It was possible to reach add_link() without visiting an
intermediate node first, and the check for a duplicate entry
could then cause a crash.

Credit to OSS-Fuzz for discovering this error.
---

diff --git a/lib/dns/qp.c b/lib/dns/qp.c
index 873183a8e5d..8d94af9c08e 100644
--- a/lib/dns/qp.c
+++ b/lib/dns/qp.c
@@ -1997,7 +1997,7 @@ dns_qp_getname(dns_qpreadable_t qpr, const dns_name_t *name, void **pval_r,
 static inline void
 add_link(dns_qpchain_t *chain, dns_qpnode_t *node, size_t offset) {
 	/* prevent duplication */
-	if (chain->chain[chain->len - 1].node == node) {
+	if (chain->len != 0 && chain->chain[chain->len - 1].node == node) {
 		return;
 	}
 	chain->chain[chain->len].node = node;