2607
43. tainted_argument: Calling function journal_read_xhdr taints argument xhdr.size. [show details]
2608 result = journal_read_xhdr(j1, &xhdr);
44. Condition rewrite, taking true branch.
45. Condition result == 29, taking false branch.
2609 if (rewrite && result == ISC_R_NOMORE) {
2610 break;
2611 }
46. Condition result != 0, taking false branch.
2612 CHECK(result);
2613
47. var_assign_var: Assigning: size = xhdr.size. Both are now tainted.
2614 size = xhdr.size;
CID 331088 (#3 of 3): Untrusted allocation size (TAINTED_SCALAR)
48. tainted_data: Passing tainted expression size to isc__mem_get, which uses it as an allocation size. [show details]
Ensure that tainted values are properly sanitized, by checking that their values are within a permissible range.
2615 buf = isc_mem_get(mctx, size);
(cherry picked from commit
83fd38dd2ccf682fee117c389f17b2e0089e36aa)
CHECK(result);
size = xhdr.size;
+ if (size > len) {
+ isc_log_write(JOURNAL_COMMON_LOGARGS,
+ ISC_LOG_ERROR,
+ "%s: journal file corrupt, "
+ "transaction too large",
+ j1->filename);
+ CHECK(ISC_R_FAILURE);
+ }
buf = isc_mem_get(mctx, size);
result = journal_read(j1, buf, size);
/* Check again */
isc_mem_put(mctx, buf, size);
size = xhdr.size;
+ if (size > len) {
+ isc_log_write(
+ JOURNAL_COMMON_LOGARGS,
+ ISC_LOG_ERROR,
+ "%s: journal file corrupt, "
+ "transaction too large",
+ j1->filename);
+ CHECK(ISC_R_FAILURE);
+ }
buf = isc_mem_get(mctx, size);
CHECK(journal_read(j1, buf, size));
projects / thirdparty / bind9.git / commitdiff
