git.ipfire.org Git - thirdparty/bind9.git/commit

author	Mark Andrews <marka@isc.org>
	Wed, 27 Jan 2021 06:17:36 +0000 (17:17 +1100)
committer	Mark Andrews <marka@isc.org>
	Thu, 11 Feb 2021 23:43:19 +0000 (10:43 +1100)
commit	6e30caed576ae6c53fc675699fb2ae8588579d6d
tree	e9cf64a3c274c7f42eb31020169d0d3331b1d57d	tree \| snapshot
parent	8302e9fb69d6c9d9606652ff8604eceefb305ec5	commit \| diff

Silence Insecure data handling (TAINTED_SCALAR)

Coverity assumes that the memory holding any value read using byte
swapping is tainted.  As we store the NSEC3PARAM records in wire
form and iterations is byte swapped the memory holding the record
is marked as tainted.  nsec3->salt_length is marked as tainted
transitively. To remove the taint the value need to be range checked.
For a correctly formatted record region.length should match
nsec3->salt_length and provides a convenient value to check the field
against.

    *** CID 316507:  Insecure data handling  (TAINTED_SCALAR)
    /lib/dns/rdata/generic/nsec3param_51.c: 241 in tostruct_nsec3param()
    235      region.length = rdata->length;
    236      nsec3param->hash = uint8_consume_fromregion(&region);
    237      nsec3param->flags = uint8_consume_fromregion(&region);
    238      nsec3param->iterations = uint16_consume_fromregion(&region);
    239
    240      nsec3param->salt_length = uint8_consume_fromregion(&region);
    >>>     CID 316507:  Insecure data handling  (TAINTED_SCALAR)
    >>>     Passing tainted expression "nsec3param->salt_length" to "mem_maybedup", which uses it as an offset.
    241      nsec3param->salt = mem_maybedup(mctx, region.base,
    242      nsec3param->salt_length);
    243      if (nsec3param->salt == NULL) {
    244      return (ISC_R_NOMEMORY);
    245      }
    246      isc_region_consume(&region, nsec3param->salt_length);

(cherry picked from commit c40133d84062cd5a92fb7ab90b9db5a348d2ae2b)