Silence Untrusted value as argument (TAINTED_SCALAR)

Coverity assumes that the memory holding any value read using byte
swapping is tainted.  As we store the NSEC3 records in wire form
and iterations is byte swapped the memory holding the record is
marked as tainted.  nsec3->salt_length and nsec3->next_length are
marked as tainted transitively. To remove the taint the values need
to be range checked.  Valid values for these should never exceed
region.length so that is becomes a reasonable value to check against.

    *** CID 316509:    (TAINTED_SCALAR)
    /lib/dns/rdata/generic/nsec3_50.c: 312 in tostruct_nsec3()
    306     	if (nsec3->salt == NULL) {
    307     		return (ISC_R_NOMEMORY);
    308     	}
    309     	isc_region_consume(&region, nsec3->salt_length);
    310
    311     	nsec3->next_length = uint8_consume_fromregion(&region);
    >>>     CID 316509:    (TAINTED_SCALAR)
    >>>     Passing tainted expression "nsec3->next_length" to "mem_maybedup", which uses it as an offset.
    312     	nsec3->next = mem_maybedup(mctx, region.base, nsec3->next_length);
    313     	if (nsec3->next == NULL) {
    314     		goto cleanup;
    315     	}
    316     	isc_region_consume(&region, nsec3->next_length);
    317
    /lib/dns/rdata/generic/nsec3_50.c: 305 in tostruct_nsec3()
    299     	region.length = rdata->length;
    300     	nsec3->hash = uint8_consume_fromregion(&region);
    301     	nsec3->flags = uint8_consume_fromregion(&region);
    302     	nsec3->iterations = uint16_consume_fromregion(&region);
    303
    304     	nsec3->salt_length = uint8_consume_fromregion(&region);
    >>>     CID 316509:    (TAINTED_SCALAR)
    >>>     Passing tainted expression "nsec3->salt_length" to "mem_maybedup", which uses it as an offset.
    305     	nsec3->salt = mem_maybedup(mctx, region.base, nsec3->salt_length);
    306     	if (nsec3->salt == NULL) {
    307     		return (ISC_R_NOMEMORY);
    308     	}
    309     	isc_region_consume(&region, nsec3->salt_length);
    310

diff --git a/lib/dns/rdata/generic/nsec3_50.c b/lib/dns/rdata/generic/nsec3_50.c
index 027f888a2782c9e160ab4cd12f632534e4eed30d..e1eab66d5a989f364e9f80817b6db4a012011ee9 100644 (file)
--- a/lib/dns/rdata/generic/nsec3_50.c
+++ b/lib/dns/rdata/generic/nsec3_50.c
@@ -302,6 +302,7 @@ tostruct_nsec3(ARGS_TOSTRUCT) {
        nsec3->iterations = uint16_consume_fromregion(&region);
 
        nsec3->salt_length = uint8_consume_fromregion(&region);
+       INSIST(nsec3->salt_length <= region.length);
        nsec3->salt = mem_maybedup(mctx, region.base, nsec3->salt_length);
        if (nsec3->salt == NULL) {
                return (ISC_R_NOMEMORY);
@@ -309,6 +310,7 @@ tostruct_nsec3(ARGS_TOSTRUCT) {
        isc_region_consume(&region, nsec3->salt_length);
 
        nsec3->next_length = uint8_consume_fromregion(&region);
+       INSIST(nsec3->next_length <= region.length);
        nsec3->next = mem_maybedup(mctx, region.base, nsec3->next_length);
        if (nsec3->next == NULL) {
                goto cleanup;