From: Mark Andrews <marka@isc.org>
Date: Wed, 27 Jan 2021 06:17:36 +0000 (+1100)
Subject: Silence Insecure data handling (TAINTED_SCALAR)
X-Git-Tag: v9.17.11~59^2
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=c40133d84062cd5a92fb7ab90b9db5a348d2ae2b;p=thirdparty%2Fbind9.git

Silence Insecure data handling (TAINTED_SCALAR)

Coverity assumes that the memory holding any value read using byte
swapping is tainted.  As we store the NSEC3PARAM records in wire
form and iterations is byte swapped the memory holding the record
is marked as tainted.  nsec3->salt_length is marked as tainted
transitively. To remove the taint the value need to be range checked.
For a correctly formatted record region.length should match
nsec3->salt_length and provides a convenient value to check the field
against.

    *** CID 316507:  Insecure data handling  (TAINTED_SCALAR)
    /lib/dns/rdata/generic/nsec3param_51.c: 241 in tostruct_nsec3param()
    235     	region.length = rdata->length;
    236     	nsec3param->hash = uint8_consume_fromregion(&region);
    237     	nsec3param->flags = uint8_consume_fromregion(&region);
    238     	nsec3param->iterations = uint16_consume_fromregion(&region);
    239
    240     	nsec3param->salt_length = uint8_consume_fromregion(&region);
    >>>     CID 316507:  Insecure data handling  (TAINTED_SCALAR)
    >>>     Passing tainted expression "nsec3param->salt_length" to "mem_maybedup", which uses it as an offset.
    241     	nsec3param->salt = mem_maybedup(mctx, region.base,
    242     					nsec3param->salt_length);
    243     	if (nsec3param->salt == NULL) {
    244     		return (ISC_R_NOMEMORY);
    245     	}
    246     	isc_region_consume(&region, nsec3param->salt_length);
---

diff --git a/lib/dns/rdata/generic/nsec3param_51.c b/lib/dns/rdata/generic/nsec3param_51.c
index 669c2c75a64..1cc56e5ae20 100644
--- a/lib/dns/rdata/generic/nsec3param_51.c
+++ b/lib/dns/rdata/generic/nsec3param_51.c
@@ -238,6 +238,7 @@ tostruct_nsec3param(ARGS_TOSTRUCT) {
 	nsec3param->iterations = uint16_consume_fromregion(&region);
 
 	nsec3param->salt_length = uint8_consume_fromregion(&region);
+	INSIST(nsec3param->salt_length == region.length);
 	nsec3param->salt = mem_maybedup(mctx, region.base,
 					nsec3param->salt_length);
 	if (nsec3param->salt == NULL) {