Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
openSUSE:Leap:15.5:Update
libunbound-devel-mini.22468
bsc1185389.90_CVE-2019-25038.9_02080f6b.patch
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File bsc1185389.90_CVE-2019-25038.9_02080f6b.patch of Package libunbound-devel-mini.22468
From 02080f6b180232f43b77f403d0c038e9360a460f Mon Sep 17 00:00:00 2001 From: "W.C.A. Wijngaards" <wouter@nlnetlabs.nl> Date: Tue, 19 Nov 2019 16:32:40 +0100 Subject: [PATCH] - Fix Integer Overflows in Size Calculations, reported by X41 D-Sec. --- dnscrypt/dnscrypt.c | 15 +++++++++++++-- respip/respip.c | 8 +++++++- 2 files changed, 20 insertions(+), 3 deletions(-) --- dnscrypt/dnscrypt.c +++ dnscrypt/dnscrypt.c 2022-01-17 13:21:48.251587868 +0000 @@ -5,6 +5,7 @@ #ifdef HAVE_TIME_H #include <time.h> #endif +#include <inttypes.h> #include <sys/time.h> #include <sys/types.h> #include "sldns/sbuffer.h" @@ -693,12 +694,22 @@ dnsc_load_local_data(struct dnsc_env* dn for(i=0; i<dnscenv->signed_certs_count; i++) { const char *ttl_class_type = " 86400 IN TXT \""; struct SignedCert *cert = dnscenv->signed_certs + i; - uint16_t rrlen = strlen(dnscenv->provider_name) + + uint32_t serial; + uint16_t rrlen; + char *rr; + memcpy(&serial, cert->serial, sizeof serial); + serial = htonl(serial); + if((unsigned)strlen(dnscenv->provider_name) >= (unsigned)0xffff0000) { + /* guard against integer overflow in rrlen calculation */ + verbose(VERB_OPS, "cert #%" PRIu32 " is too long", serial); + continue; + } + rrlen = strlen(dnscenv->provider_name) + strlen(ttl_class_type) + 4 * sizeof(struct SignedCert) + // worst case scenario 1 + // trailing double quote 1; - char *rr = malloc(rrlen); + rr = malloc(rrlen); if(!rr) { log_err("Could not allocate memory"); return -2; --- respip/respip.c +++ respip/respip.c 2022-01-17 13:16:12.310001548 +0000 @@ -475,10 +475,16 @@ copy_rrset(const struct ub_packed_rrset_ if(!ck->rk.dname) return NULL; + if((unsigned)data->count >= 0xffff00U) + return NULL; /* guard against integer overflow in dsize */ dsize = sizeof(struct packed_rrset_data) + data->count * (sizeof(size_t)+sizeof(uint8_t*)+sizeof(time_t)); - for(i=0; i<data->count; i++) + for(i=0; i<data->count; i++) { + if((unsigned)dsize >= 0x0fffffffU || + (unsigned)data->rr_len[i] >= 0x0fffffffU) + return NULL; /* guard against integer overflow */ dsize += data->rr_len[i]; + } d = regional_alloc(region, dsize); if(!d) return NULL;
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor