From: Mark Andrews <marka@isc.org>
Date: Tue, 9 Jul 2024 01:59:39 +0000 (+1000)
Subject: Prevent overflow of size
X-Git-Tag: alessio/regression/026024a6ae~7^2~1
X-Git-Url: http://git.ipfire.org/gitweb/index.cgi?a=commitdiff_plain;h=e7ef0a60ab4ffedf5a8defe86a02452b0ee124ab;p=thirdparty%2Fbind9.git

Prevent overflow of size

If size overflows we will have an infinite loop.  In practice
this will not happen unless we have made a coding error.  Add
an INSIST to detect this condition.

    181        while (!done) {
    182                isc_buffer_allocate(mctx, &b, size);
    183                result = dns_rdata_totext(rdata, NULL, b);
    184                if (result == ISC_R_SUCCESS) {
    185                        printf("%.*s\n", (int)isc_buffer_usedlength(b),
    186                               (char *)isc_buffer_base(b));
    187                        done = true;
    188                } else if (result != ISC_R_NOSPACE) {
    189                        check_result(result, "dns_rdata_totext");
    190                }
    191                isc_buffer_free(&b);

    CID 498025: (#1 of 1): Overflowed constant (INTEGER_OVERFLOW)
    overflow_const: Expression size, which is equal to 0, overflows the type that
    receives it, an unsigned integer 32 bits wide.
    192                size *= 2;
    193        }
---

diff --git a/bin/dig/nslookup.c b/bin/dig/nslookup.c
index 12ba49d3117..4b813511b75 100644
--- a/bin/dig/nslookup.c
+++ b/bin/dig/nslookup.c
@@ -189,6 +189,7 @@ printrdata(dns_rdata_t *rdata) {
 			check_result(result, "dns_rdata_totext");
 		}
 		isc_buffer_free(&b);
+		INSIST(size <= (UINT_MAX / 2));
 		size *= 2;
 	}
 }