From a1a4730c1f02cd85680cf7608ac81e0db59ee522 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= <pemensik@redhat.com> Date: Wed, 16 Jan 2019 16:27:33 +0100 Subject: [PATCH] Fix possible crash when loading corrupted file Some values passes internal triggers by coincidence. Fix the check and check also first_node_offset before even passing it further. --- lib/dns/rbt.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/lib/dns/rbt.c b/lib/dns/rbt.c index ef6441b..404fd6d 100644 --- a/lib/dns/rbt.c +++ b/lib/dns/rbt.c @@ -754,7 +754,7 @@ treefix(dns_rbt_t *rbt, void *base, size_t filesize, dns_rbtnode_t *n, } CONFIRM((void *)n >= base); - CONFIRM((char *)n - (char *)base <= (int)nodemax); + CONFIRM((size_t)((char *)n - (char *)base) <= (int)nodemax); CONFIRM(DNS_RBTNODE_VALID(n)); dns_name_init(&nodename, NULL); @@ -911,7 +911,9 @@ dns_rbt_deserialize_tree(void *base_address, size_t filesize, rbt->root = (dns_rbtnode_t *)((char *)base_address + header_offset + header->first_node_offset); - if ((header->nodecount * sizeof(dns_rbtnode_t)) > filesize) { + if ((header->nodecount * sizeof(dns_rbtnode_t)) > filesize + || header->first_node_offset > filesize) { + result = ISC_R_INVALIDFILE; goto cleanup; } -- 2.21.1