From: W.C.A. Wijngaards <wouter@nlnetlabs.nl>
Date: Tue, 3 Dec 2019 15:01:31 +0000 (+0100)
Subject: - Fix Out of Bounds Write in sldns_str2wire_str_buf(),
X-Git-Tag: release-1.9.6rc1~18
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=3f3cadd416d6efa92ff2d548ac090f42cd79fee9;p=thirdparty%2Funbound.git

- Fix Out of Bounds Write in sldns_str2wire_str_buf(),
  reported by X41 D-Sec.
---

diff --git a/doc/Changelog b/doc/Changelog
index aabdcec25..5c4cb3eb1 100644
--- a/doc/Changelog
+++ b/doc/Changelog
@@ -10,6 +10,8 @@
 	  reported by X41 D-Sec.
 	- Fix OOB Read in sldns_wire2str_dname_scan(),
 	  reported by X41 D-Sec.
+	- Fix Out of Bounds Write in sldns_str2wire_str_buf(),
+	  reported by X41 D-Sec.
 
 2 December 2019: Wouter
 	- Merge pull request #122 from he32: In tcp_callback_writer(),
diff --git a/sldns/str2wire.c b/sldns/str2wire.c
index 705cbc286..eea9a38b8 100644
--- a/sldns/str2wire.c
+++ b/sldns/str2wire.c
@@ -1103,7 +1103,7 @@ int sldns_str2wire_str_buf(const char* str, uint8_t* rd, size_t* len)
 	while(sldns_parse_char(&ch, &s)) {
 		if(sl >= 255)
 			return RET_ERR(LDNS_WIREPARSE_ERR_INVALID_STR, s-str);
-		if(*len < sl+1)
+		if(*len < sl+2)
 			return RET_ERR(LDNS_WIREPARSE_ERR_BUFFER_TOO_SMALL,
 				s-str);
 		rd[++sl] = ch;