1984850958
This is an automated DistroBaker update from upstream sources. If you do not know what this is about or would like to opt out, contact the OSCI team. Source: https://src.fedoraproject.org/rpms/bind.git#84e2317aef685da5ba32268db0d9abe7b9799362
39 lines
1.3 KiB
Diff
39 lines
1.3 KiB
Diff
From a1a4730c1f02cd85680cf7608ac81e0db59ee522 Mon Sep 17 00:00:00 2001
|
|
From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= <pemensik@redhat.com>
|
|
Date: Wed, 16 Jan 2019 16:27:33 +0100
|
|
Subject: [PATCH] Fix possible crash when loading corrupted file
|
|
|
|
Some values passes internal triggers by coincidence. Fix the check and
|
|
check also first_node_offset before even passing it further.
|
|
---
|
|
lib/dns/rbt.c | 6 ++++--
|
|
1 file changed, 4 insertions(+), 2 deletions(-)
|
|
|
|
diff --git a/lib/dns/rbt.c b/lib/dns/rbt.c
|
|
index ef6441b..404fd6d 100644
|
|
--- a/lib/dns/rbt.c
|
|
+++ b/lib/dns/rbt.c
|
|
@@ -754,7 +754,7 @@ treefix(dns_rbt_t *rbt, void *base, size_t filesize, dns_rbtnode_t *n,
|
|
}
|
|
|
|
CONFIRM((void *)n >= base);
|
|
- CONFIRM((char *)n - (char *)base <= (int)nodemax);
|
|
+ CONFIRM((size_t)((char *)n - (char *)base) <= (int)nodemax);
|
|
CONFIRM(DNS_RBTNODE_VALID(n));
|
|
|
|
dns_name_init(&nodename, NULL);
|
|
@@ -911,7 +911,9 @@ dns_rbt_deserialize_tree(void *base_address, size_t filesize,
|
|
rbt->root = (dns_rbtnode_t *)((char *)base_address + header_offset +
|
|
header->first_node_offset);
|
|
|
|
- if ((header->nodecount * sizeof(dns_rbtnode_t)) > filesize) {
|
|
+ if ((header->nodecount * sizeof(dns_rbtnode_t)) > filesize
|
|
+ || header->first_node_offset > filesize) {
|
|
+
|
|
result = ISC_R_INVALIDFILE;
|
|
goto cleanup;
|
|
}
|
|
--
|
|
2.21.1
|
|
|