git.ipfire.org Git - thirdparty/bind9.git/commit

author	Michal Nowak <mnowak@isc.org>
	Wed, 20 May 2026 17:58:41 +0000 (17:58 +0000)
committer	Michal Nowak <mnowak@isc.org>
	Thu, 21 May 2026 11:41:29 +0000 (11:41 +0000)
commit	bb8321c637502aa16d1418f4803d4b83f6ef2ba1
tree	c6363315d2989beb1141ed775cb95be56ffbcd7a	tree \| snapshot
parent	ebe67bf017af3f73e9660c983d9cdfe669db7e7e	commit \| diff

Validate nsec3hash arguments instead of relying on atoi()

The nsec3hash tool parsed its algorithm, flags, and iterations
arguments with atoi(), then range-checked the result. For values
that overflow int during digit-by-digit accumulation, atoi() is
undefined; in practice on musl libc the modular wrap leaves
n == 0, which silently passes the "iterations > 0xffffU" check.
On Alpine Linux this made nsec3hash succeed with iterations
treated as 0 for inputs like 4294967296 (2^32).

The latent bug only surfaced when the recent image rebuild pulled
in Hypothesis 6.152.9 (2026-05-19), which unified the distribution
used for bounded and unbounded integers() strategies. The new
smoother distribution explores the 2^32 boundary on unbounded
ranges like integers(min_value=65536); earlier versions did not
reach there, so test_nsec3hash_too_many_iterations only started
failing on Alpine after the image refresh.

Replace the three atoi() calls with isc_parse_uint8 /
isc_parse_uint16, which uniformly reject overflow, trailing
garbage, leading sign, and non-numeric input across libc
implementations. As a side effect, error messages now include
the offending argument and a specific reason ("out of range" vs
"not a valid number").

Assisted-by: Claude:claude-opus-4-7
(cherry picked from commit e13302a6bc9b196564b5e7afe703fae24311ceeb)