File bsc1185385_CVE-2019-25034_a3545867.patch of Package unbound.24859

Overview Repositories Revisions Requests Users Attributes Meta

File bsc1185385_CVE-2019-25034_a3545867.patch of Package unbound.24859

From a3545867fcdec50307c776ce0af28d07046a52dd Mon Sep 17 00:00:00 2001
From: "W.C.A. Wijngaards" <wouter@nlnetlabs.nl>
Date: Tue, 19 Nov 2019 16:42:17 +0100
Subject: [PATCH] - Fix Integer Overflow to Buffer Overflow in  
 sldns_str2wire_dname_buf_origin(), reported by X41 D-Sec.

---
 doc/Changelog    | 2 ++
 sldns/str2wire.c | 4 ++++
 2 files changed, 6 insertions(+)

|diff --git doc/Changelog doc/Changelog
|index 7398075e..509b74b8 100644
|--- doc/Changelog
|+++ doc/Changelog
|@@ -11,6 +11,8 @@
| 	  reported by X41 D-Sec.
| 	- Fix Integer Overflows in Size Calculations,
| 	  reported by X41 D-Sec.
|+	- Fix Integer Overflow to Buffer Overflow in
|+	  sldns_str2wire_dname_buf_origin(), reported by X41 D-Sec.
| 
| 18 November 2019: Wouter
| 	- In unbound-host use separate variable for get_option to please
diff --git sldns/str2wire.c sldns/str2wire.c
index 097f6210..f08f107c 100644
--- sldns/str2wire.c
+++ sldns/str2wire.c
@@ -150,6 +150,10 @@ int sldns_str2wire_dname_buf_origin(const char* str, uint8_t* buf, size_t* len,
 	if(s) return s;
 
 	if(rel && origin && dlen > 0) {
+		if((unsigned)dlen >= 0x00ffffffU ||
+			(unsigned)origin_len >= 0x00ffffffU)
+			/* guard against integer overflow in addition */
+			return RET_ERR(LDNS_WIREPARSE_ERR_GENERAL, *len);
 		if(dlen + origin_len - 1 > LDNS_MAX_DOMAINLEN)
 			return RET_ERR(LDNS_WIREPARSE_ERR_DOMAINNAME_OVERFLOW,
 				LDNS_MAX_DOMAINLEN);
-- 
2.26.2

Places

File bsc1185385_CVE-2019-25034_a3545867.patch of Package unbound.24859

Places