|
|
685f10 |
From 3bb29f45604ac6890f4ea5cdcbd1a62e6dad14a7 Mon Sep 17 00:00:00 2001
|
|
|
685f10 |
From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= <pemensik@redhat.com>
|
|
|
685f10 |
Date: Wed, 16 Jan 2019 16:27:33 +0100
|
|
|
685f10 |
Subject: [PATCH 2/2] Fix possible crash when loading corrupted file
|
|
|
685f10 |
|
|
|
685f10 |
Some values passes internal triggers by coincidence. Fix the check and
|
|
|
685f10 |
check also first_node_offset before even passing it further.
|
|
|
685f10 |
|
|
|
685f10 |
lib/dns/rbt.c | 5 +++
|
|
|
685f10 |
1 file changed, 3 insertions(+), 2 deletions(-)
|
|
|
685f10 |
|
|
|
685f10 |
diff
|
|
|
685f10 |
index 62d0826..b029b7d 100644
|
|
|
685f10 |
|
|
|
685f10 |
|
|
|
685f10 |
@@ -787,7 +787,7 @@ treefix(dns_rbt_t *rbt, void *base, size_t filesize, dns_rbtnode_t *n,
|
|
|
685f10 |
return (ISC_R_SUCCESS);
|
|
|
685f10 |
|
|
|
685f10 |
CONFIRM((void *) n >= base);
|
|
|
685f10 |
- CONFIRM((char *) n - (char *) base <= (int) nodemax);
|
|
|
685f10 |
+ CONFIRM((size_t)((char *) n - (char *) base) <= nodemax);
|
|
|
685f10 |
CONFIRM(DNS_RBTNODE_VALID(n));
|
|
|
685f10 |
|
|
|
685f10 |
dns_name_init(&nodename, NULL);
|
|
|
685f10 |
@@ -939,7 +939,8 @@ dns_rbt_deserialize_tree(void *base_address, size_t filesize,
|
|
|
685f10 |
rbt->root = (dns_rbtnode_t *)((char *)base_address +
|
|
|
685f10 |
header_offset + header->first_node_offset);
|
|
|
685f10 |
|
|
|
685f10 |
- if ((header->nodecount * sizeof(dns_rbtnode_t)) > filesize) {
|
|
|
685f10 |
+ if ((header->nodecount * sizeof(dns_rbtnode_t)) > filesize
|
|
|
685f10 |
+ || header->first_node_offset > filesize) {
|
|
|
685f10 |
result = ISC_R_INVALIDFILE;
|
|
|
685f10 |
goto cleanup;
|
|
|
685f10 |
}
|
|
|
685f10 |
--
|
|
|
685f10 |
2.20.1
|
|
|
685f10 |
|