From: Mark Andrews <marka@isc.org>
Date: Tue, 9 Jul 2024 01:55:46 +0000 (+1000)
Subject: Prevent overflow of bufsize
X-Git-Tag: v9.18.29~15^2
X-Git-Url: http://git.ipfire.org/gitweb/?a=commitdiff_plain;h=0dbda6661dcc45d203906b4d960b0977bcec4051;p=thirdparty%2Fbind9.git

Prevent overflow of bufsize

If bufsize overflows we will have an infinite loop.  In practice
this will not happen unless we have made a coding error.  Add an
INSIST to detect this condition.

    181retry:
    182        isc_buffer_allocate(mctx, &b, bufsize);
    183        result = dns_rdata_totext(rdata, NULL, b);
    184        if (result == ISC_R_NOSPACE) {
    185                isc_buffer_free(&b);

    CID 498031: (#1 of 1): Overflowed constant (INTEGER_OVERFLOW)
    overflow_const: Expression bufsize, which is equal to 0, overflows
    the type that receives it, an unsigned integer 32 bits wide.
    186                bufsize *= 2;
    187                goto retry;
    188        }

(cherry picked from commit 20ac13fb234f9bca37fe8b86910df805779a7621)
---

diff --git a/bin/dig/host.c b/bin/dig/host.c
index 011587a5a63..57c1fb492da 100644
--- a/bin/dig/host.c
+++ b/bin/dig/host.c
@@ -185,6 +185,7 @@ retry:
 	result = dns_rdata_totext(rdata, NULL, b);
 	if (result == ISC_R_NOSPACE) {
 		isc_buffer_free(&b);
+		INSIST(bufsize <= (UINT_MAX / 2));
 		bufsize *= 2;
 		goto retry;
 	}