packages/unbound
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

fix integer overflow in sldns_wire2str_pkt_scan

Browse Source
This commit is contained in:
jiangheng 2022-02-07 17:35:18 +08:00
parent 8c3aecacbd
commit 0041d41e50
3 changed files with 50 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

0
backport-Fix-610-Undefine-shift-in-sldns_str2wire_hip_buf.patch → backport-fix-610-undefine-shift-in-sldns_str2wire_hip_buf.patch
View File

41
backport-fix-for-611-integer-overflow-in-sldns_wire2str_pkt_s.patch Normal file
View File

@ -0,0 +1,41 @@
From c29b0e0a96c4d281aef40d69a11c564d6ed1a2c6 Mon Sep 17 00:00:00 2001
From: "W.C.A. Wijngaards" <wouter@nlnetlabs.nl>
Date: Thu, 3 Feb 2022 09:03:09 +0100
Subject: [PATCH] - Fix for #611: Integer overflow in sldns_wire2str_pkt_scan.
---
sldns/wire2str.c | 11 +++++++++++
2 files changed, 14 insertions(+)
diff --git a/sldns/wire2str.c b/sldns/wire2str.c
index 6a177ec..b70efe2 100644
--- a/sldns/wire2str.c
+++ b/sldns/wire2str.c
@@ -817,6 +817,7 @@ int sldns_wire2str_dname_scan(uint8_t** d, size_t* dlen, char** s, size_t* slen,
unsigned i, counter=0;
unsigned maxcompr = MAX_COMPRESS_PTRS; /* loop detection, max compr ptrs */
int in_buf = 1;
+ size_t dname_len = 0;
if(comprloop) {
if(*comprloop != 0)
maxcompr = 30; /* for like ipv6 reverse name, per label */
@@ -872,6 +873,16 @@ int sldns_wire2str_dname_scan(uint8_t** d, size_t* dlen, char** s, size_t* slen,
labellen = (uint8_t)*dlen;
else if(!in_buf && pos+(size_t)labellen > pkt+pktlen)
labellen = (uint8_t)(pkt + pktlen - pos);
+ dname_len += ((size_t)labellen)+1;
+ if(dname_len > LDNS_MAX_DOMAINLEN) {
+ /* dname_len counts the uncompressed length we have
+ * seen so far, and the domain name has become too
+ * long, prevent the loop from printing overly long
+ * content. */
+ w += sldns_str_print(s, slen,
+ "ErrorDomainNameTooLong");
+ return w;
+ }
for(i=0; i<(unsigned)labellen; i++) {
w += dname_char_print(s, slen, *pos++);
}
--
1.8.3.1

11
unbound.spec
View File

@ -2,7 +2,7 @@
Name: unbound Name: unbound
Version: 1.11.0 Version: 1.11.0
Release: 3 Release: 4
Summary: Unbound is a validating, recursive, caching DNS resolver Summary: Unbound is a validating, recursive, caching DNS resolver
License: BSD License: BSD
Url: https://nlnetlabs.nl/projects/unbound/about/ Url: https://nlnetlabs.nl/projects/unbound/about/
@ -23,7 +23,8 @@ Source13: unbound-anchor.service
Patch0: CVE-2020-28935.patch Patch0: CVE-2020-28935.patch
Patch6000: backport-Fix-610-Undefine-shift-in-sldns_str2wire_hip_buf.patch Patch6000: backport-fix-610-undefine-shift-in-sldns_str2wire_hip_buf.patch
Patch6001: backport-fix-for-611-integer-overflow-in-sldns_wire2str_pkt_s.patch
BuildRequires: make flex swig pkgconfig systemd python-unversioned-command BuildRequires: make flex swig pkgconfig systemd python-unversioned-command
BuildRequires: libevent-devel expat-devel openssl-devel python3-devel BuildRequires: libevent-devel expat-devel openssl-devel python3-devel
@ -229,6 +230,12 @@ popd
%{_mandir}/man* %{_mandir}/man*
%changelog %changelog
* Mon Feb 07 2022 jiangheng<jiangheng12@huawei.com> - 1.11.0-4
- Type:bugfix
- ID:NA
- SUG:NA
- DESC:fix integer overflow in sldns_wire2str_pkt_scan
* Tue Jan 25 2022 jiangheng<jiangheng12@huawei.com> - 1.11.0-3 * Tue Jan 25 2022 jiangheng<jiangheng12@huawei.com> - 1.11.0-3
- Type:bugfix - Type:bugfix
- ID:NA - ID:NA