]> git.ipfire.org Git - thirdparty/bind9.git/commitdiff
projects / thirdparty / bind9.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 357ac87)
Check for overflow in $GENERATE computations
authorMark Andrews <marka@isc.org>
Fri, 1 Jul 2022 01:40:37 +0000 (11:40 +1000)
committerMark Andrews <marka@isc.org>
Wed, 6 Jul 2022 01:26:24 +0000 (11:26 +1000)
$GENERATE uses 'int' for its computations and some constructions
can overflow values that can be represented by an 'int' resulting
in undefined behaviour.  Detect these conditions and return a
range error.

(cherry picked from commit 5327b9708fd0e5d0d6c95183cca9eafb4a1cfe05)

bin/tests/system/checkzone/zones/bad-generate-range.db [new file with mode: 0644] patch | blob
lib/dns/master.c patch | blob | blame | history

diff --git a/bin/tests/system/checkzone/zones/bad-generate-range.db b/bin/tests/system/checkzone/zones/bad-generate-range.db
new file mode 100644 (file)
index 0000000..62a9e15
--- /dev/null
+++ b/bin/tests/system/checkzone/zones/bad-generate-range.db
@@ -0,0 +1,18 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 600
+@              SOA     ns hostmaster 2011012708 3600 1200 604800 1200
+               NS      ns
+ns             A       192.0.2.1
+
+; 2147483647 + 1 overflows what can be represented in an 'int'
+$GENERATE 1-1   host$  TXT foo${2147483647}
diff --git a/lib/dns/master.c b/lib/dns/master.c
index e1ba723104fb4c94dd039d454c1c134989dedd45..e938b15a0e1f82d55ea5e8aa95996e53786b7348 100644 (file)
--- a/lib/dns/master.c
+++ b/lib/dns/master.c
@@ -735,6 +735,13 @@ genname(char *name, int it, char *buffer, size_t length) {
                                        continue;
                                }
                        }
+                       /*
+                        * 'it' is >= 0 so we don't need to check for
+                        * underflow.
+                        */
+                       if ((it > 0 && delta > INT_MAX - it)) {
+                               return (ISC_R_RANGE);
+                       }
                        if (nibblemode) {
                                n = nibbles(numbuf, sizeof(numbuf), width,
                                            mode[0], it + delta);
Mirror of https://gitlab.isc.org/isc-projects/bind9.git