From f555fab032ced380800f1fb9d673b04968bcf1a2 Mon Sep 17 00:00:00 2001
From: eaglegai <eaglegai@163.com>
Date: Mon, 26 Aug 2024 08:08:59 +0000
Subject: [PATCH] fix CVE-2024-43168 better

(cherry picked from commit 87321278ef201e74dbab50fea5aedaa085213344)
---
 ...patch => backport-001-CVE-2024-43168.patch |   0
 backport-002-CVE-2024-43168.patch             |  56 ++++++++
 backport-003-CVE-2024-43168.patch             | 135 ++++++++++++++++++
 backport-004-CVE-2024-43168.patch             |  44 ++++++
 unbound.spec                                  |  13 +-
 5 files changed, 246 insertions(+), 2 deletions(-)
 rename backport-CVE-2024-43168.patch => backport-001-CVE-2024-43168.patch (100%)
 create mode 100644 backport-002-CVE-2024-43168.patch
 create mode 100644 backport-003-CVE-2024-43168.patch
 create mode 100644 backport-004-CVE-2024-43168.patch

diff --git a/backport-CVE-2024-43168.patch b/backport-001-CVE-2024-43168.patch
similarity index 100%
rename from backport-CVE-2024-43168.patch
rename to backport-001-CVE-2024-43168.patch
diff --git a/backport-002-CVE-2024-43168.patch b/backport-002-CVE-2024-43168.patch
new file mode 100644
index 0000000..681c498
--- /dev/null
+++ b/backport-002-CVE-2024-43168.patch
@@ -0,0 +1,56 @@
+From dfff8d23cf4145c58e5c1e99d4159d3a91a70ab7 Mon Sep 17 00:00:00 2001
+From: "W.C.A. Wijngaards" <wouter@nlnetlabs.nl>
+Date: Wed, 3 Apr 2024 10:16:18 +0200
+Subject: [PATCH] - For #1040: adjust error text and disallow negative ports in
+ other   parts of cfg_mark_ports.
+
+---
+ util/config_file.c | 14 +++++++++++++-
+ 1 files changed, 13 insertions(+), 1 deletion(-)
+
+diff --git a/util/config_file.c b/util/config_file.c
+index e7b2f195..74554286 100644
+--- a/util/config_file.c
++++ b/util/config_file.c
+@@ -1762,7 +1762,7 @@ cfg_mark_ports(const char* str, int allow, int* avail, int num)
+ 	if(!mid) {
+ 		int port = atoi(str);
+ 		if(port < 0) {
+-			log_err("Prevent out-of-bounds access to array avail");
++			log_err("port number is negative: %d", port);
+ 			return 0;
+ 		}
+ 		if(port == 0 && strcmp(str, "0") != 0) {
+@@ -1774,6 +1774,10 @@ cfg_mark_ports(const char* str, int allow, int* avail, int num)
+ 	} else {
+ 		int i, low, high = atoi(mid+1);
+ 		char buf[16];
++		if(high < 0) {
++			log_err("port number is negative: %d", high);
++			return 0;
++		}
+ 		if(high == 0 && strcmp(mid+1, "0") != 0) {
+ 			log_err("cannot parse port number '%s'", mid+1);
+ 			return 0;
+@@ -1786,10 +1790,18 @@ cfg_mark_ports(const char* str, int allow, int* avail, int num)
+ 			memcpy(buf, str, (size_t)(mid-str));
+ 		buf[mid-str] = 0;
+ 		low = atoi(buf);
++		if(low < 0) {
++			log_err("port number is negative: %d", low);
++			return 0;
++		}
+ 		if(low == 0 && strcmp(buf, "0") != 0) {
+ 			log_err("cannot parse port number '%s'", buf);
+ 			return 0;
+ 		}
++		if(high > num) {
++			/* Stop very high values from taking a long time. */
++			high = num;
++		}
+ 		for(i=low; i<=high; i++) {
+ 			if(i < num)
+ 				avail[i] = (allow?i:0);
+-- 
+2.33.0
+
diff --git a/backport-003-CVE-2024-43168.patch b/backport-003-CVE-2024-43168.patch
new file mode 100644
index 0000000..3d86328
--- /dev/null
+++ b/backport-003-CVE-2024-43168.patch
@@ -0,0 +1,135 @@
+From 4497e8a154f53cd5947a6ee5aa65cf99be57152e Mon Sep 17 00:00:00 2001
+From: zhailiangliang <zhailiangliang@loongson.cn>
+Date: Tue, 7 May 2024 11:35:52 +0000
+Subject: [PATCH] Fix potential overflow bug while parsing port in function
+ cfg_mark_ports
+
+---
+ util/config_file.c | 76 ++++++++++++++++++++++++++++++----------------
+ 1 file changed, 50 insertions(+), 26 deletions(-)
+
+diff --git a/util/config_file.c b/util/config_file.c
+index 2b67d4c1..4a3b7d77 100644
+--- a/util/config_file.c
++++ b/util/config_file.c
+@@ -42,6 +42,7 @@
+ #include "config.h"
+ #include <ctype.h>
+ #include <stdarg.h>
++#include <errno.h>
+ #ifdef HAVE_TIME_H
+ #include <time.h>
+ #endif
+@@ -1772,6 +1773,38 @@ init_outgoing_availports(int* a, int num)
+ 	}
+ }
+ 
++static int
++extract_port_from_str(const char* str, int max_port) {
++	char* endptr;
++	if (str == NULL || *str == '\0') {
++		log_err("str: '%s' is invalid", str);
++		return -1;
++	}
++
++	long int value = strtol(str, &endptr, 10);
++	if ((endptr == str) || (*endptr != '\0'))  {
++		log_err("cannot parse port number '%s'", str);
++		return -1;
++	}
++
++	if (errno == ERANGE) {
++                log_err("overflow occurred when parsing '%s'", str);
++		return -1;
++	}
++
++	if (value == 0 && strcmp(str, "0") != 0) {
++		log_err("cannot parse port number '%s'", str);
++		return -1;
++	}
++
++	if (value < 0 || value >= max_port) {
++		log_err(" '%s' is out of bounds [0, %d)", str, max_port);
++		return -1;
++	}
++
++	return (int)value;
++}
++
+ int 
+ cfg_mark_ports(const char* str, int allow, int* avail, int num)
+ {
+@@ -1782,53 +1815,44 @@ cfg_mark_ports(const char* str, int allow, int* avail, int num)
+ 		"options");
+ #endif
+ 	if(!mid) {
+-		int port = atoi(str);
+-		if(port < 0) {
+-			log_err("port number is negative: %d", port);
++		int port = extract_port_from_str(str, num);
++		if (port < 0) {
++			log_err("Failed to parse the port number");
+ 			return 0;
+ 		}
+-		if(port == 0 && strcmp(str, "0") != 0) {
+-			log_err("cannot parse port number '%s'", str);
+-			return 0;
+-		}
+-		if(port < num)
+-			avail[port] = (allow?port:0);
++		avail[port] = (allow?port:0);
+ 	} else {
+-		int i, low, high = atoi(mid+1);
+ 		char buf[16];
+-		if(high < 0) {
+-			log_err("port number is negative: %d", high);
+-			return 0;
+-		}
+-		if(high == 0 && strcmp(mid+1, "0") != 0) {
+-			log_err("cannot parse port number '%s'", mid+1);
++		int i, low;
++		int high = extract_port_from_str(mid+1, num);
++		if (high < 0) {
++			log_err("Failed to parse the port number");
+ 			return 0;
+ 		}
++
+ 		if( (int)(mid-str)+1 >= (int)sizeof(buf) ) {
+ 			log_err("cannot parse port number '%s'", str);
+ 			return 0;
+ 		}
++
+ 		if(mid > str)
+ 			memcpy(buf, str, (size_t)(mid-str));
+ 		buf[mid-str] = 0;
+-		low = atoi(buf);
+-		if(low < 0) {
+-			log_err("port number is negative: %d", low);
++		low = extract_port_from_str(buf, num);
++		if (low < 0) {
++			log_err("Failed to parse the port number");
+ 			return 0;
+ 		}
+-		if(low == 0 && strcmp(buf, "0") != 0) {
+-			log_err("cannot parse port number '%s'", buf);
++
++		if (low > high) {
++			log_err("Low value is greater than high value");
+ 			return 0;
+ 		}
+-		if(high > num) {
+-			/* Stop very high values from taking a long time. */
+-			high = num;
+-		}
++
+ 		for(i=low; i<=high; i++) {
+ 			if(i < num)
+ 				avail[i] = (allow?i:0);
+ 		}
+-		return 1;
+ 	}
+ 	return 1;
+ }
+-- 
+2.33.0
+
diff --git a/backport-004-CVE-2024-43168.patch b/backport-004-CVE-2024-43168.patch
new file mode 100644
index 0000000..5d70552
--- /dev/null
+++ b/backport-004-CVE-2024-43168.patch
@@ -0,0 +1,44 @@
+From c085a53268940dfbb907cbaa7a690740b6c8210c Mon Sep 17 00:00:00 2001
+From: "W.C.A. Wijngaards" <wouter@nlnetlabs.nl>
+Date: Tue, 7 May 2024 14:05:21 +0200
+Subject: [PATCH] - Fix for #1062: declaration before statement, avoid print of
+ null,   and redundant check for array size. And changelog note for merge of
+ #1062.
+
+---
+ util/config_file.c | 8 +++++---
+ 1 files changed, 6 insertions(+), 3 deletions(-)
+
+diff --git a/util/config_file.c b/util/config_file.c
+index 4a3b7d77..2ac6c468 100644
+--- a/util/config_file.c
++++ b/util/config_file.c
+@@ -1776,12 +1776,13 @@ init_outgoing_availports(int* a, int num)
+ static int
+ extract_port_from_str(const char* str, int max_port) {
+ 	char* endptr;
++	long int value;
+ 	if (str == NULL || *str == '\0') {
+-		log_err("str: '%s' is invalid", str);
++		log_err("str: '%s' is invalid", (str?str:"NULL"));
+ 		return -1;
+ 	}
+ 
+-	long int value = strtol(str, &endptr, 10);
++	value = strtol(str, &endptr, 10);
+ 	if ((endptr == str) || (*endptr != '\0'))  {
+ 		log_err("cannot parse port number '%s'", str);
+ 		return -1;
+@@ -1820,7 +1821,8 @@ cfg_mark_ports(const char* str, int allow, int* avail, int num)
+ 			log_err("Failed to parse the port number");
+ 			return 0;
+ 		}
+-		avail[port] = (allow?port:0);
++		if(port < num)
++			avail[port] = (allow?port:0);
+ 	} else {
+ 		char buf[16];
+ 		int i, low;
+-- 
+2.33.0
+
diff --git a/unbound.spec b/unbound.spec
index a32e4f7..fee2457 100644
--- a/unbound.spec
+++ b/unbound.spec
@@ -2,7 +2,7 @@
 
 Name:          unbound
 Version:       1.17.1
-Release:       7
+Release:       8
 Summary:       Unbound is a validating, recursive, caching DNS resolver
 License:       BSD-3-Clause
 Url:           https://nlnetlabs.nl/projects/unbound/about/
@@ -29,7 +29,10 @@ Patch5:        backport-pre-CVE-2024-33655-Fix-possibly-unaligned-memory-access-
 Patch6:        backport-pre-CVE-2024-33655-Fix-out-of-bounds-read-in-parse_edns_options_from_query.patch
 Patch7:        backport-CVE-2024-33655.patch
 Patch8:        backport-CVE-2024-43167.patch
-Patch9:        backport-CVE-2024-43168.patch
+Patch9:        backport-001-CVE-2024-43168.patch
+Patch10:       backport-002-CVE-2024-43168.patch
+Patch11:       backport-003-CVE-2024-43168.patch
+Patch12:       backport-004-CVE-2024-43168.patch
 
 BuildRequires: make flex swig pkgconfig systemd
 BuildRequires: libevent-devel expat-devel openssl-devel python3-devel
@@ -266,6 +269,12 @@ popd
 %{_mandir}/man*
 
 %changelog
+* Mon Aug 26 2024 gaihuiying <eaglegai@163.com> - 1.17.1-8
+- Type:cves
+- CVE:CVE-2024-43168
+- SUG:NA
+- DESC:fix CVE-2024-43168 better
+
 * Mon Aug 19 2024 gaihuiying <eaglegai@163.com> - 1.17.1-7
 - Type:cves
 - CVE:CVE-2024-43167 CVE-2024-43168
-- 
Gitee