git.ipfire.org Git - thirdparty/bind9.git/commit

author	Mark Andrews <marka@isc.org>
	Wed, 27 Jan 2021 06:17:36 +0000 (17:17 +1100)
committer	Mark Andrews <marka@isc.org>
	Thu, 11 Feb 2021 23:19:27 +0000 (10:19 +1100)
commit	c40133d84062cd5a92fb7ab90b9db5a348d2ae2b
tree	6cc0334bb1fc20afe5a98803021345c0842a9392	tree \| snapshot
parent	fd8d1337a53a68c5e3145dadec173674f2db0cfb	commit \| diff

Silence Insecure data handling (TAINTED_SCALAR)

Coverity assumes that the memory holding any value read using byte
swapping is tainted.  As we store the NSEC3PARAM records in wire
form and iterations is byte swapped the memory holding the record
is marked as tainted.  nsec3->salt_length is marked as tainted
transitively. To remove the taint the value need to be range checked.
For a correctly formatted record region.length should match
nsec3->salt_length and provides a convenient value to check the field
against.

    *** CID 316507:  Insecure data handling  (TAINTED_SCALAR)
    /lib/dns/rdata/generic/nsec3param_51.c: 241 in tostruct_nsec3param()
    235      region.length = rdata->length;
    236      nsec3param->hash = uint8_consume_fromregion(&region);
    237      nsec3param->flags = uint8_consume_fromregion(&region);
    238      nsec3param->iterations = uint16_consume_fromregion(&region);
    239
    240      nsec3param->salt_length = uint8_consume_fromregion(&region);
    >>>     CID 316507:  Insecure data handling  (TAINTED_SCALAR)
    >>>     Passing tainted expression "nsec3param->salt_length" to "mem_maybedup", which uses it as an offset.
    241      nsec3param->salt = mem_maybedup(mctx, region.base,
    242      nsec3param->salt_length);
    243      if (nsec3param->salt == NULL) {
    244      return (ISC_R_NOMEMORY);
    245      }
    246      isc_region_consume(&region, nsec3param->salt_length);