- Fix for Heap Out-of-Bounds Write via size_t-to-int Truncation

author W.C.A. Wijngaards <wouter@nlnetlabs.nl>

Thu, 7 May 2026 12:40:48 +0000 (14:40 +0200)

committer W.C.A. Wijngaards <wouter@nlnetlabs.nl>

Thu, 7 May 2026 12:40:48 +0000 (14:40 +0200)
author W.C.A. Wijngaards <wouter@nlnetlabs.nl>
Thu, 7 May 2026 12:40:48 +0000 (14:40 +0200)
committer W.C.A. Wijngaards <wouter@nlnetlabs.nl>
Thu, 7 May 2026 12:40:48 +0000 (14:40 +0200)
diff --git a/doc/Changelog b/doc/Changelog

index 651e06ffdba8278f8751a2eb0e7ae432105fce40..059a5f19f89dbb9386f0f17041f1f63de34f1ddc 100644 (file)
--- a/doc/Changelog
+++ b/doc/Changelog
@@ -1,3 +1,10 @@
+7 May 2026: Wouter
+       - Fix for Heap Out-of-Bounds Write via size_t-to-int Truncation
+         in setup_if() - outside_network_create(). This fixes that
+         large values for num_ports do not overflow and create
+         invalid references after integer truncation. Thanks
+         to Karnakar Reddy (@karnakarreddi) for the report.
+
  1 May 2026: Wouter
         - iana portlist updated.
  
diff --git a/services/outside_network.c b/services/outside_network.c

index 8034ff60ba10416bbdc77e5fe7c202327d8e5bca..b19d586228070afbbc4de57d8b2e4b3bc9145b1a 100644 (file)
--- a/services/outside_network.c
+++ b/services/outside_network.c
@@ -1707,6 +1707,12 @@ static int setup_if(struct port_if* pif, const char* addrstr,
            !netblockstrtoaddr(addrstr, UNBOUND_DNS_PORT,
                               &pif->addr, &pif->addrlen, &pif->pfxlen))
                 return 0;
+#ifdef INT_MAX
+       if(numfd > (size_t)INT_MAX) {
+               log_err("num_ports exceeds INT_MAX");
+               return 0;
+       }
+#endif
         pif->maxout = (int)numfd;
         pif->inuse = 0;
         pif->out = (struct port_comm**)calloc(numfd, 
@@ -1775,6 +1781,13 @@ outside_network_create(struct comm_base *base, size_t bufsize,
                 outside_network_delete(outnet);
                 return NULL;
         }
+#ifdef INT_MAX
+       if(num_ports > (size_t)INT_MAX) {
+               log_err("outgoing num_ports exceeds INT_MAX");
+               outside_network_delete(outnet);
+               return NULL;
+       }
+#endif
  #ifndef INET6
         do_ip6 = 0;
  #endif
author	W.C.A. Wijngaards <wouter@nlnetlabs.nl>
	Thu, 7 May 2026 12:40:48 +0000 (14:40 +0200)
committer	W.C.A. Wijngaards <wouter@nlnetlabs.nl>
	Thu, 7 May 2026 12:40:48 +0000 (14:40 +0200)
doc/Changelog		patch \| blob \| blame \| history
services/outside_network.c		patch \| blob \| blame \| history