git.ipfire.org Git - thirdparty/bind9.git/commit

author	Michal Nowak <mnowak@isc.org>
	Wed, 20 May 2026 17:58:41 +0000 (17:58 +0000)
committer	Michal Nowak <mnowak@isc.org>
	Thu, 21 May 2026 11:34:50 +0000 (13:34 +0200)
commit	e13302a6bc9b196564b5e7afe703fae24311ceeb
tree	89fa4081a8f37d1fd2996e505bba05cdb54e1661	tree \| snapshot
parent	be827c68a665da784990f91d81a301ddff94bd69	commit \| diff

Validate nsec3hash arguments instead of relying on atoi()

The nsec3hash tool parsed its algorithm, flags, and iterations
arguments with atoi(), then range-checked the result. For values
that overflow int during digit-by-digit accumulation, atoi() is
undefined; in practice on musl libc the modular wrap leaves
n == 0, which silently passes the "iterations > 0xffffU" check.
On Alpine Linux this made nsec3hash succeed with iterations
treated as 0 for inputs like 4294967296 (2^32).

The latent bug only surfaced when the recent image rebuild pulled
in Hypothesis 6.152.9 (2026-05-19), which unified the distribution
used for bounded and unbounded integers() strategies. The new
smoother distribution explores the 2^32 boundary on unbounded
ranges like integers(min_value=65536); earlier versions did not
reach there, so test_nsec3hash_too_many_iterations only started
failing on Alpine after the image refresh.

Replace the three atoi() calls with isc_parse_uint8 /
isc_parse_uint16, which uniformly reject overflow, trailing
garbage, leading sign, and non-numeric input across libc
implementations. As a side effect, error messages now include
the offending argument and a specific reason ("out of range" vs
"not a valid number").

Assisted-by: Claude:claude-opus-4-7