git.ipfire.org Git - thirdparty/bind9.git/commit

author	Mark Andrews <marka@isc.org>
	Thu, 28 Jan 2021 23:12:14 +0000 (10:12 +1100)
committer	Mark Andrews <marka@isc.org>
	Sun, 14 Feb 2021 22:41:46 +0000 (22:41 +0000)
commit	59bf6e71e201f5d43771191b4f34a6052eadb582
tree	3569996ddf48d3b0711ad0458a7daea446a5ac23	tree \| snapshot
parent	1d1408567fcde31068e0ddb2a37f8996d44a2694	commit \| diff

Address theoretical buffer overrun in recent change

The strlcat() call was wrong.

    *** CID 316608:  Memory - corruptions  (OVERRUN)
    /lib/dns/resolver.c: 5017 in fctx_create()
    5011      * Make fctx->info point to a copy of a formatted string
    5012      * "name/type".
    5013      */
    5014      dns_name_format(name, buf, sizeof(buf));
    5015      dns_rdatatype_format(type, typebuf, sizeof(typebuf));
    5016      p = strlcat(buf, "/", sizeof(buf));
    >>>     CID 316608:  Memory - corruptions  (OVERRUN)
    >>>     Calling "strlcat" with "buf + p" and "1036UL" is suspicious because "buf" points into a buffer of 1036 bytes and the function call may access "(char *)(buf + p) + 1035UL". [Note: The source code implementation of the function has been overridden by a builtin model.]
    5017      strlcat(buf + p, typebuf, sizeof(buf));
    5018      fctx->info = isc_mem_strdup(mctx, buf);
    5019
    5020      FCTXTRACE("create");
    5021      dns_name_init(&fctx->name, NULL);
    5022      dns_name_dup(name, mctx, &fctx->name);