]> git.ipfire.org Git - thirdparty/bind9.git/commitdiff
projects / thirdparty / bind9.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: a87436d)
check chain length is nonzero before examining last entry
authorEvan Hunt <each@isc.org>
Wed, 11 Oct 2023 18:03:00 +0000 (11:03 -0700)
committerEvan Hunt <each@isc.org>
Thu, 12 Oct 2023 18:31:32 +0000 (11:31 -0700)
It was possible to reach add_link() without visiting an
intermediate node first, and the check for a duplicate entry
could then cause a crash.

Credit to OSS-Fuzz for discovering this error.

lib/dns/qp.c patch | blob | blame | history

diff --git a/lib/dns/qp.c b/lib/dns/qp.c
index 873183a8e5db976dae087aa8c19a323fae5919f0..8d94af9c08e0a1c38f5bc8543e15aa817a376f1a 100644 (file)
--- a/lib/dns/qp.c
+++ b/lib/dns/qp.c
@@ -1997,7 +1997,7 @@ dns_qp_getname(dns_qpreadable_t qpr, const dns_name_t *name, void **pval_r,
 static inline void
 add_link(dns_qpchain_t *chain, dns_qpnode_t *node, size_t offset) {
        /* prevent duplication */
-       if (chain->chain[chain->len - 1].node == node) {
+       if (chain->len != 0 && chain->chain[chain->len - 1].node == node) {
                return;
        }
        chain->chain[chain->len].node = node;
Mirror of https://gitlab.isc.org/isc-projects/bind9.git