git.ipfire.org Git - thirdparty/bind9.git/commit

author	Mark Andrews <marka@isc.org>
	Thu, 28 Jan 2021 23:12:14 +0000 (10:12 +1100)
committer	Matthijs Mekking <matthijs@isc.org>
	Wed, 3 Mar 2021 09:55:38 +0000 (10:55 +0100)
commit	7a703244ed9beda8b8ea89bd0581440de29f09c9
tree	f6c309497f7897725d3d96c50b3c41d83094cc77	tree \| snapshot
parent	2cc4e15788cbf54f64e7236a3ea57ee3b23116b4	commit \| diff

Address theoretical buffer overrun in recent change

The strlcat() call was wrong.

    *** CID 316608:  Memory - corruptions  (OVERRUN)
    /lib/dns/resolver.c: 5017 in fctx_create()
    5011      * Make fctx->info point to a copy of a formatted string
    5012      * "name/type".
    5013      */
    5014      dns_name_format(name, buf, sizeof(buf));
    5015      dns_rdatatype_format(type, typebuf, sizeof(typebuf));
    5016      p = strlcat(buf, "/", sizeof(buf));
    >>>     CID 316608:  Memory - corruptions  (OVERRUN)
    >>>     Calling "strlcat" with "buf + p" and "1036UL" is suspicious because "buf" points into a buffer of 1036 bytes and the function call may access "(char *)(buf + p) + 1035UL". [Note: The source code implementation of the function has been overridden by a builtin model.]
    5017      strlcat(buf + p, typebuf, sizeof(buf));
    5018      fctx->info = isc_mem_strdup(mctx, buf);
    5019
    5020      FCTXTRACE("create");
    5021      dns_name_init(&fctx->name, NULL);
    5022      dns_name_dup(name, mctx, &fctx->name);

(cherry picked from commit 59bf6e71e201f5d43771191b4f34a6052eadb582)