From ee23780246e89affc31c739bbc4cbd429410fba2 Mon Sep 17 00:00:00 2001 From: Mark Andrews Date: Fri, 4 Jan 2019 15:22:25 +1100 Subject: [PATCH] maybe_numeric failed to handle NUL in text region. --- CHANGES | 3 +++ lib/dns/rcode.c | 20 ++++++++++++++------ 2 files changed, 17 insertions(+), 6 deletions(-) diff --git a/CHANGES b/CHANGES index b3e0ff2979..5bbc37fbd2 100644 --- a/CHANGES +++ b/CHANGES @@ -1,3 +1,6 @@ +5127. [bug] rcode.c:maybe_numeric failed to handle NUL in text + regions. [GL #807] + 5126. [bug] Named incorrectly accepted empty base64 and hex encoded fields when reading master files. [GL #807] diff --git a/lib/dns/rcode.c b/lib/dns/rcode.c index c06b26500f..832303a19b 100644 --- a/lib/dns/rcode.c +++ b/lib/dns/rcode.c @@ -226,28 +226,36 @@ maybe_numeric(unsigned int *valuep, isc_textregion_t *source, isc_result_t result; uint32_t n; char buffer[NUMBERSIZE]; + int v; if (! isdigit(source->base[0] & 0xff) || source->length > NUMBERSIZE - 1) + { return (ISC_R_BADNUMBER); + } /* * We have a potential number. Try to parse it with * isc_parse_uint32(). isc_parse_uint32() requires * null termination, so we must make a copy. */ - snprintf(buffer, sizeof(buffer), "%.*s", - (int)source->length, source->base); - + v = snprintf(buffer, sizeof(buffer), "%.*s", + (int)source->length, source->base); + if (v < 0 || (unsigned)v != source->length) { + return (ISC_R_BADNUMBER); + } INSIST(buffer[source->length] == '\0'); result = isc_parse_uint32(&n, buffer, 10); - if (result == ISC_R_BADNUMBER && hex_allowed) + if (result == ISC_R_BADNUMBER && hex_allowed) { result = isc_parse_uint32(&n, buffer, 16); - if (result != ISC_R_SUCCESS) + } + if (result != ISC_R_SUCCESS) { return (result); - if (n > max) + } + if (n > max) { return (ISC_R_RANGE); + } *valuep = n; return (ISC_R_SUCCESS); }