From: Mark Andrews <marka@isc.org>
Date: Thu, 2 Jul 2020 03:26:06 +0000 (+1000)
Subject: Address overrun in remove_old_tsversions
X-Git-Tag: v9.17.4~56^2~1
X-Git-Url: http://git.ipfire.org/gitweb/?a=commitdiff_plain;h=6ca78bc57dece45029ee56a73161db7b68140286;p=thirdparty%2Fbind9.git

Address overrun in remove_old_tsversions

If too many versions of log / dnstap files to be saved where requests
the memory after to_keep could be overwritten.  Force the number of
versions to be saved to a save level.  Additionally the memmove length
was incorrect.
---

diff --git a/lib/isc/log.c b/lib/isc/log.c
index d03343c371b..9970431ba3b 100644
--- a/lib/isc/log.c
+++ b/lib/isc/log.c
@@ -1156,10 +1156,13 @@ remove_old_tsversions(isc_logfile_t *file, int versions) {
 	}
 
 	if (versions > 0) {
+		if (versions > ISC_LOG_MAX_VERSIONS) {
+			versions = ISC_LOG_MAX_VERSIONS;
+		}
 		/*
 		 * First we fill 'to_keep' structure using insertion sort
 		 */
-		memset(to_keep, 0, versions * sizeof(long long));
+		memset(to_keep, 0, sizeof(to_keep));
 		while (isc_dir_read(&dir) == ISC_R_SUCCESS) {
 			if (dir.entry.length > bnamelen &&
 			    strncmp(dir.entry.name, bname, bnamelen) == 0 &&
@@ -1176,9 +1179,8 @@ remove_old_tsversions(isc_logfile_t *file, int versions) {
 					if (i < versions) {
 						memmove(&to_keep[i + 1],
 							&to_keep[i],
-							sizeof(long long) *
-									versions -
-								i - 1);
+							sizeof(to_keep[0]) *
+							(versions - i - 1));
 						to_keep[i] = version;
 					}
 				}