Tighten $GENERATE directive parsing

The original sscanf processing allowed for a number of syntax errors
to be accepted.  This included missing the closing brace in
${modifiers}

Look for both comma and right brace as intermediate seperators as
well as consuming the final right brace in the sscanf processing
for ${modifiers}.  Check when we got right brace to determine if
the sscanf consumed more input than expected and if so behave as
if it had stopped at the first right brace.

diff --git a/bin/tests/system/checkzone/zones/bad-generate-garbage.db b/bin/tests/system/checkzone/zones/bad-generate-garbage.db
new file mode 100644 (file)
index 0000000..0d66e75
--- /dev/null
+++ b/bin/tests/system/checkzone/zones/bad-generate-garbage.db
@@ -0,0 +1,17 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 600
+@              SOA     ns hostmaster 2011012708 3600 1200 604800 1200
+               NS      ns
+ns             A       192.0.2.1
+
+$GENERATE 0-7   host$  A 1.2.3.${1,0,dgarbagegarbage}

diff --git a/bin/tests/system/checkzone/zones/bad-generate-missing-brace.db b/bin/tests/system/checkzone/zones/bad-generate-missing-brace.db
new file mode 100644 (file)
index 0000000..314583e
--- /dev/null
+++ b/bin/tests/system/checkzone/zones/bad-generate-missing-brace.db
@@ -0,0 +1,17 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 600
+@              SOA     ns hostmaster 2011012708 3600 1200 604800 1200
+               NS      ns
+ns             A       192.0.2.1
+
+$GENERATE 0-7   host$  A 1.2.3.${1000

diff --git a/bin/tests/system/checkzone/zones/good-generate-modifier.db b/bin/tests/system/checkzone/zones/good-generate-modifier.db
new file mode 100644 (file)
index 0000000..3c811d6
--- /dev/null
+++ b/bin/tests/system/checkzone/zones/good-generate-modifier.db
@@ -0,0 +1,20 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 600
+@              SOA     ns hostmaster 2011012708 3600 1200 604800 1200
+               NS      ns
+ns             A       192.0.2.1
+
+$GENERATE 0-7   host$  A 1.2.3.${1,0,d}
+$GENERATE 8-9   host$  A 1.2.3.${1,0}
+$GENERATE 10-11 host$  A 1.2.3.${1}
+$GENERATE 1024-1026 ${0,3,n}   AAAA 2001:db8::${0,4,x}

diff --git a/lib/dns/master.c b/lib/dns/master.c
index 0933d50e4ca3b718418b9fbf851d9a873fc73022..f733f4cfca2232d49f693745380698fdf3e51328 100644 (file)
--- a/lib/dns/master.c
+++ b/lib/dns/master.c
@@ -673,7 +673,10 @@ genname(char *name, int it, char *buffer, size_t length) {
        char fmt[sizeof("%04000000000d")];
        char numbuf[128];
        char *cp;
-       char mode[2];
+       char mode[2] = { 0 };
+       char brace[2] = { 0 };
+       char comma1[2] = { 0 };
+       char comma2[2] = { 0 };
        int delta = 0;
        isc_textregion_t r;
        unsigned int n;
@@ -698,23 +701,31 @@ genname(char *name, int it, char *buffer, size_t length) {
                        strlcpy(fmt, "%d", sizeof(fmt));
                        /* Get format specifier. */
                        if (*name == '{') {
-                               n = sscanf(name, "{%d,%u,%1[doxXnN]}", &delta,
-                                          &width, mode);
-                               switch (n) {
-                               case 1:
-                                       break;
-                               case 2:
+                               n = sscanf(name,
+                                          "{%d%1[,}]%u%1[,}]%1[doxXnN]%1[}]",
+                                          &delta, comma1, &width, comma2, mode,
+                                          brace);
+                               if (n < 2 || n > 6) {
+                                       return (DNS_R_SYNTAX);
+                               }
+                               if (comma1[0] == '}') {
+                                       /* %{delta} */
+                               } else if (comma1[0] == ',' && comma2[0] == '}')
+                               {
+                                       /* %{delta,width} */
                                        n = snprintf(fmt, sizeof(fmt), "%%0%ud",
                                                     width);
-                                       break;
-                               case 3:
+                               } else if (comma1[0] == ',' &&
+                                          comma2[0] == ',' && mode[0] != 0 &&
+                                          brace[0] == '}')
+                               {
+                                       /* %{delta,width,format} */
                                        if (mode[0] == 'n' || mode[0] == 'N') {
                                                nibblemode = true;
                                        }
                                        n = snprintf(fmt, sizeof(fmt),
                                                     "%%0%u%c", width, mode[0]);
-                                       break;
-                               default:
+                               } else {
                                        return (DNS_R_SYNTAX);
                                }
                                if (n >= sizeof(fmt)) {