From: W.C.A. Wijngaards Date: Thu, 7 May 2026 12:40:48 +0000 (+0200) Subject: - Fix for Heap Out-of-Bounds Write via size_t-to-int Truncation X-Git-Url: http://git.ipfire.org/index.cgi?a=commitdiff_plain;h=33e2863862a629e7748760ea18f0afdb2558121e;p=thirdparty%2Funbound.git - Fix for Heap Out-of-Bounds Write via size_t-to-int Truncation in setup_if() - outside_network_create(). This fixes that large values for num_ports do not overflow and create invalid references after integer truncation. Thanks to Karnakar Reddy (@karnakarreddi) for the report. --- diff --git a/doc/Changelog b/doc/Changelog index 651e06ffd..059a5f19f 100644 --- a/doc/Changelog +++ b/doc/Changelog @@ -1,3 +1,10 @@ +7 May 2026: Wouter + - Fix for Heap Out-of-Bounds Write via size_t-to-int Truncation + in setup_if() - outside_network_create(). This fixes that + large values for num_ports do not overflow and create + invalid references after integer truncation. Thanks + to Karnakar Reddy (@karnakarreddi) for the report. + 1 May 2026: Wouter - iana portlist updated. diff --git a/services/outside_network.c b/services/outside_network.c index 8034ff60b..b19d58622 100644 --- a/services/outside_network.c +++ b/services/outside_network.c @@ -1707,6 +1707,12 @@ static int setup_if(struct port_if* pif, const char* addrstr, !netblockstrtoaddr(addrstr, UNBOUND_DNS_PORT, &pif->addr, &pif->addrlen, &pif->pfxlen)) return 0; +#ifdef INT_MAX + if(numfd > (size_t)INT_MAX) { + log_err("num_ports exceeds INT_MAX"); + return 0; + } +#endif pif->maxout = (int)numfd; pif->inuse = 0; pif->out = (struct port_comm**)calloc(numfd, @@ -1775,6 +1781,13 @@ outside_network_create(struct comm_base *base, size_t bufsize, outside_network_delete(outnet); return NULL; } +#ifdef INT_MAX + if(num_ports > (size_t)INT_MAX) { + log_err("outgoing num_ports exceeds INT_MAX"); + outside_network_delete(outnet); + return NULL; + } +#endif #ifndef INET6 do_ip6 = 0; #endif