diff options
Diffstat (limited to 'usr.sbin/unbound/sldns/str2wire.c')
| -rw-r--r-- | usr.sbin/unbound/sldns/str2wire.c | 15 |
1 files changed, 13 insertions, 2 deletions
diff --git a/usr.sbin/unbound/sldns/str2wire.c b/usr.sbin/unbound/sldns/str2wire.c index 097f621017f..358e45345e6 100644 --- a/usr.sbin/unbound/sldns/str2wire.c +++ b/usr.sbin/unbound/sldns/str2wire.c @@ -150,6 +150,10 @@ int sldns_str2wire_dname_buf_origin(const char* str, uint8_t* buf, size_t* len, if(s) return s; if(rel && origin && dlen > 0) { + if((unsigned)dlen >= 0x00ffffffU || + (unsigned)origin_len >= 0x00ffffffU) + /* guard against integer overflow in addition */ + return RET_ERR(LDNS_WIREPARSE_ERR_GENERAL, *len); if(dlen + origin_len - 1 > LDNS_MAX_DOMAINLEN) return RET_ERR(LDNS_WIREPARSE_ERR_DOMAINNAME_OVERFLOW, LDNS_MAX_DOMAINLEN); @@ -168,7 +172,9 @@ uint8_t* sldns_str2wire_dname(const char* str, size_t* len) uint8_t dname[LDNS_MAX_DOMAINLEN+1]; *len = sizeof(dname); if(sldns_str2wire_dname_buf(str, dname, len) == 0) { - uint8_t* r = (uint8_t*)malloc(*len); + uint8_t* r; + if(*len > sizeof(dname)) return NULL; + r = (uint8_t*)malloc(*len); if(r) return memcpy(r, dname, *len); } *len = 0; @@ -187,6 +193,9 @@ rrinternal_get_owner(sldns_buffer* strbuf, uint8_t* rr, size_t* len, sldns_buffer_position(strbuf)); } + if(token_len < 2) /* make sure there is space to read "@" or "" */ + return RET_ERR(LDNS_WIREPARSE_ERR_BUFFER_TOO_SMALL, + sldns_buffer_position(strbuf)); if(token[0]=='@' && token[1]=='\0') { uint8_t* tocopy; if (origin) { @@ -1094,7 +1103,7 @@ int sldns_str2wire_str_buf(const char* str, uint8_t* rd, size_t* len) while(sldns_parse_char(&ch, &s)) { if(sl >= 255) return RET_ERR(LDNS_WIREPARSE_ERR_INVALID_STR, s-str); - if(*len < sl+1) + if(*len < sl+2) return RET_ERR(LDNS_WIREPARSE_ERR_BUFFER_TOO_SMALL, s-str); rd[++sl] = ch; @@ -2095,6 +2104,8 @@ int sldns_str2wire_int16_data_buf(const char* str, uint8_t* rd, size_t* len) char* s; int n; n = strtol(str, &s, 10); + if(n < 0) /* negative number not allowed */ + return LDNS_WIREPARSE_ERR_SYNTAX; if(*len < ((size_t)n)+2) return LDNS_WIREPARSE_ERR_BUFFER_TOO_SMALL; if(n > 65535) |