BUG/MEDIUM: resolvers: Fix test on dn label size in resolv_dn_label_to_str()

In resolv_dn_label_to_str(), size for a dn label was stored into an integer
from a signed char without a cast to unsigned. So dn label with a size of
128 bytes or more become negative, skipping this way the copy loop and
desynchronizing input vs output.

In addition, the size of the destination string was only checked at the
begining, against the dn string length. But it must also be checked for
every dn label, to be sure. The dn string can be forged to copied more bytes
than expected.

This patch must be backported to all stable versions.

diff --git a/src/resolvers.c b/src/resolvers.c
index 07c25b2c8c7248735bba86f841de3d147c993c14..ee49fb8f923dd63980dce8d220b5803e4beca772 100644 (file)
--- a/src/resolvers.c
+++ b/src/resolvers.c
@@ -1855,7 +1855,12 @@ int resolv_dn_label_to_str(const char *dn, int dn_len, char *str, int str_len)
 
        ptr = str;
        for (i = 0; i < dn_len; ++i) {
-               sz = dn[i];
+               sz = (unsigned char)dn[i];
+
+               /* Check str_len adding 1 for the dot if (i!=0) */
+               if (str_len < sz+i+(!!i))
+                       return -1;
+
                if (i)
                        *ptr++ = '.';
                /* copy the string at i+1 to lower case */