Importing invalid SKR file might overflow the stack buffer

If an invalid SKR file is imported, reading the time from the token
buffer might overflow the buffer on the local stack.  This has been
fixed by removing the intermediate buffer and parsing the lexer token
directly.

diff --git a/bin/dnssec/dnssec-ksr.c b/bin/dnssec/dnssec-ksr.c
index 9664653d0bde33025f4cd0aaf3db728876e19bc8..f76b07c33409e387c35926cd8c570ec44320ffd5 100644 (file)
--- a/bin/dnssec/dnssec-ksr.c
+++ b/bin/dnssec/dnssec-ksr.c
@@ -1170,7 +1170,6 @@ sign(ksr_ctx_t *ksr) {
                }
 
                if (strcmp(STR(token), ";;") == 0) {
-                       char bundle[KSR_LINESIZE];
                        isc_stdtime_t next_inception;
 
                        CHECK(isc_lex_gettoken(lex, opt, &token));
@@ -1204,9 +1203,8 @@ sign(ksr_ctx_t *ksr) {
                        }
 
                        /* Date and time of bundle */
-                       sscanf(STR(token), "%s", bundle);
-                       next_inception = strtotime(bundle, ksr->now, ksr->now,
-                                                  NULL);
+                       next_inception = strtotime(STR(token), ksr->now,
+                                                  ksr->now, NULL);
 
                        if (have_bundle) {
                                /* Sign previous bundle */

diff --git a/lib/dns/skr.c b/lib/dns/skr.c
index 7eec1f453144e21d27cac8b5c22e2a6e15e77a15..a54b843fc272849d3ef5166b836762932d3d8f4c 100644 (file)
--- a/lib/dns/skr.c
+++ b/lib/dns/skr.c
@@ -215,7 +215,6 @@ dns_skr_read(isc_mem_t *mctx, const char *filename, dns_name_t *origin,
             dns_rdataclass_t rdclass, dns_ttl_t dnskeyttl, dns_skr_t **skrp) {
        isc_result_t result;
        dns_skrbundle_t *bundle = NULL;
-       char bundlebuf[1024];
        uint32_t bundle_id;
        isc_lex_t *lex = NULL;
        isc_lexspecials_t specials;
@@ -287,8 +286,7 @@ dns_skr_read(isc_mem_t *mctx, const char *filename, dns_name_t *origin,
                        }
 
                        /* Create new bundle */
-                       sscanf(STR(token), "%s", bundlebuf);
-                       CHECK(dns_time32_fromtext(bundlebuf, &bundle_id));
+                       CHECK(dns_time32_fromtext(STR(token), &bundle_id));
                        bundle = NULL;
                        skrbundle_create(mctx, (isc_stdtime_t)bundle_id,
                                         &bundle);