From: Mark Andrews <marka@isc.org>
Date: Wed, 7 Jul 2021 04:08:04 +0000 (+1000)
Subject: Silence tainted scalar on rdlen
X-Git-Tag: v9.16.20~27^2
X-Git-Url: http://git.ipfire.org/gitweb/?a=commitdiff_plain;h=ac34c3f55294bd41758e8b205555cf789a72e2e9;p=thirdparty%2Fbind9.git

Silence tainted scalar on rdlen

    2042        ttl = isc_buffer_getuint32(&j->it.source);
    	    13. tainted_data_transitive: Call to function isc_buffer_getuint16 with tainted argument *j->it.source.base returns tainted data. [show details]
    	    14. var_assign: Assigning: rdlen = isc_buffer_getuint16(&j->it.source), which taints rdlen.
    2043        rdlen = isc_buffer_getuint16(&j->it.source);
    2044
    2045        /*
    2046         * Parse the rdata.
    2047         */
    	    15. Condition j->it.source.used - j->it.source.current != rdlen, taking false branch.
    2048        if (isc_buffer_remaininglength(&j->it.source) != rdlen) {
    2049                FAIL(DNS_R_FORMERR);
    2050        }
    	    16. var_assign_var: Assigning: j->it.source.active = j->it.source.current + rdlen. Both are now tainted.
    2051        isc_buffer_setactive(&j->it.source, rdlen);
    2052        dns_rdata_reset(&j->it.rdata);
    	    17. lower_bounds: Checking lower bounds of unsigned scalar j->it.source.active by taking the true branch of j->it.source.active > j->it.source.current.

    CID 316506 (#1 of 1): Untrusted loop bound (TAINTED_SCALAR)
    18. tainted_data: Passing tainted expression j->it.source.active to dns_rdata_fromwire, which uses it as a loop boundary. [show details]
    	    Ensure that tainted values are properly sanitized, by checking that their values are within a permissible range.
    2053        CHECK(dns_rdata_fromwire(&j->it.rdata, rdclass, rdtype, &j->it.source,
    2054                                 &j->it.dctx, 0, &j->it.target));

(cherry picked from commit f0fdca90f2baa3a8cc2e04fb47f367ef90486357)
---

diff --git a/lib/dns/journal.c b/lib/dns/journal.c
index f54ade5e8d5..7b355083fa4 100644
--- a/lib/dns/journal.c
+++ b/lib/dns/journal.c
@@ -2042,6 +2042,14 @@ read_one_rr(dns_journal_t *j) {
 	ttl = isc_buffer_getuint32(&j->it.source);
 	rdlen = isc_buffer_getuint16(&j->it.source);
 
+	if (rdlen > DNS_RDATA_MAXLENGTH) {
+		isc_log_write(JOURNAL_COMMON_LOGARGS, ISC_LOG_ERROR,
+			      "%s: journal corrupt: impossible rdlen "
+			      "(%u bytes)",
+			      j->filename, rdlen);
+		FAIL(ISC_R_FAILURE);
+	}
+
 	/*
 	 * Parse the rdata.
 	 */