From: Mark Andrews Date: Thu, 28 Jan 2021 23:12:14 +0000 (+1100) Subject: Address theoretical buffer overrun in recent change X-Git-Tag: v9.17.11~55^2 X-Git-Url: http://git.ipfire.org/gitweb/index.cgi?a=commitdiff_plain;h=59bf6e71e201f5d43771191b4f34a6052eadb582;p=thirdparty%2Fbind9.git Address theoretical buffer overrun in recent change The strlcat() call was wrong. *** CID 316608: Memory - corruptions (OVERRUN) /lib/dns/resolver.c: 5017 in fctx_create() 5011 * Make fctx->info point to a copy of a formatted string 5012 * "name/type". 5013 */ 5014 dns_name_format(name, buf, sizeof(buf)); 5015 dns_rdatatype_format(type, typebuf, sizeof(typebuf)); 5016 p = strlcat(buf, "/", sizeof(buf)); >>> CID 316608: Memory - corruptions (OVERRUN) >>> Calling "strlcat" with "buf + p" and "1036UL" is suspicious because "buf" points into a buffer of 1036 bytes and the function call may access "(char *)(buf + p) + 1035UL". [Note: The source code implementation of the function has been overridden by a builtin model.] 5017 strlcat(buf + p, typebuf, sizeof(buf)); 5018 fctx->info = isc_mem_strdup(mctx, buf); 5019 5020 FCTXTRACE("create"); 5021 dns_name_init(&fctx->name, NULL); 5022 dns_name_dup(name, mctx, &fctx->name); --- diff --git a/lib/dns/resolver.c b/lib/dns/resolver.c index bae5a2bd0a8..a91a5d52ff7 100644 --- a/lib/dns/resolver.c +++ b/lib/dns/resolver.c @@ -4983,7 +4983,6 @@ fctx_create(dns_resolver_t *res, const dns_name_t *name, dns_rdatatype_t type, isc_interval_t interval; unsigned int findoptions = 0; char buf[DNS_NAME_FORMATSIZE + DNS_RDATATYPE_FORMATSIZE + 1]; - char typebuf[DNS_RDATATYPE_FORMATSIZE]; isc_mem_t *mctx; size_t p; bool try_stale; @@ -5012,9 +5011,9 @@ fctx_create(dns_resolver_t *res, const dns_name_t *name, dns_rdatatype_t type, * "name/type". */ dns_name_format(name, buf, sizeof(buf)); - dns_rdatatype_format(type, typebuf, sizeof(typebuf)); p = strlcat(buf, "/", sizeof(buf)); - strlcat(buf + p, typebuf, sizeof(buf)); + INSIST(p + DNS_RDATATYPE_FORMATSIZE < sizeof(buf)); + dns_rdatatype_format(type, buf + p, sizeof(buf) - p); fctx->info = isc_mem_strdup(mctx, buf); FCTXTRACE("create");