]> git.ipfire.org Git - thirdparty/bind9.git/commitdiff
4354. [bug] Check that the received HMAC length matches the
authorMark Andrews <marka@isc.org>
Thu, 5 May 2016 04:19:37 +0000 (14:19 +1000)
committerMark Andrews <marka@isc.org>
Thu, 5 May 2016 04:19:37 +0000 (14:19 +1000)
                        expected length prior to check the contents on the
                        control channel.  This prevents a OOB read error.
                        [RT #42215]

CHANGES
lib/isccc/cc.c

diff --git a/CHANGES b/CHANGES
index e2be1a8789ad86229ea09c8c7a62d4cc5627909f..6813153752c0c47cea3ebcb66435e41e46c28dca 100644 (file)
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,8 @@
+4354.  [bug]           Check that the received HMAC length matches the
+                       expected length prior to check the contents on the
+                       control channel.  This prevents a OOB read error.
+                       [RT #42215]
+
 4353.  [cleanup]       Update PKCS#11 header files. [RT #42175]
 
 4352.  [cleanup]       The ISC DNSSEC Lookaside Validation (DLV) service
index 3f5ac84d50787afca7afe1d7cfbcd0323006acaf..e5a16ee15e53c30e6279eacc36cf3010e49f7f2b 100644 (file)
@@ -503,16 +503,29 @@ verify(isccc_sexpr_t *alist, unsigned char *data, unsigned int length,
         * Verify.
         */
        if (algorithm == ISCCC_ALG_HMACMD5) {
+               isccc_region_t *region;
                unsigned char *value;
 
-               value = (unsigned char *) isccc_sexpr_tostring(hmac);
+               region = isccc_sexpr_tobinary(hmac);
+               if ((region->rend - region->rstart) != HMD5_LENGTH)
+                       return (ISCCC_R_BADAUTH);
+               value = region->rstart;
                if (!isc_safe_memequal(value, digestb64, HMD5_LENGTH))
                        return (ISCCC_R_BADAUTH);
        } else {
+               isccc_region_t *region;
                unsigned char *value;
                isc_uint32_t valalg;
 
-               value = (unsigned char *) isccc_sexpr_tostring(hmac);
+               region = isccc_sexpr_tobinary(hmac);
+
+               /*
+                * Note: with non-MD5 algorithms, there's an extra octet
+                * to identify which algorithm is in use.
+                */
+               if ((region->rend - region->rstart) != HSHA_LENGTH + 1)
+                       return (ISCCC_R_BADAUTH);
+               value = region->rstart;
                GET8(valalg, value);
                if ((valalg != algorithm) ||
                    !isc_safe_memequal(value, digestb64, HSHA_LENGTH))