From 86898c4a01aa1855469c82632eef769883a357ac Mon Sep 17 00:00:00 2001 From: jiangheng Date: Mon, 7 Feb 2022 17:35:18 +0800 Subject: [PATCH] fix integer overflow in sldns_wire2str_pkt_scan --- ...fine-shift-in-sldns_str2wire_hip_buf.patch | 0 ...ger-overflow-in-sldns_wire2str_pkt_s.patch | 41 +++++++++++++++++++ unbound.spec | 11 ++++- 3 files changed, 50 insertions(+), 2 deletions(-) rename backport-Fix-610-Undefine-shift-in-sldns_str2wire_hip_buf.patch => backport-fix-610-undefine-shift-in-sldns_str2wire_hip_buf.patch (100%) create mode 100644 backport-fix-for-611-integer-overflow-in-sldns_wire2str_pkt_s.patch diff --git a/backport-Fix-610-Undefine-shift-in-sldns_str2wire_hip_buf.patch b/backport-fix-610-undefine-shift-in-sldns_str2wire_hip_buf.patch similarity index 100% rename from backport-Fix-610-Undefine-shift-in-sldns_str2wire_hip_buf.patch rename to backport-fix-610-undefine-shift-in-sldns_str2wire_hip_buf.patch diff --git a/backport-fix-for-611-integer-overflow-in-sldns_wire2str_pkt_s.patch b/backport-fix-for-611-integer-overflow-in-sldns_wire2str_pkt_s.patch new file mode 100644 index 0000000..bf61f9a --- /dev/null +++ b/backport-fix-for-611-integer-overflow-in-sldns_wire2str_pkt_s.patch @@ -0,0 +1,41 @@ +From c29b0e0a96c4d281aef40d69a11c564d6ed1a2c6 Mon Sep 17 00:00:00 2001 +From: "W.C.A. Wijngaards" +Date: Thu, 3 Feb 2022 09:03:09 +0100 +Subject: [PATCH] - Fix for #611: Integer overflow in sldns_wire2str_pkt_scan. + +--- + sldns/wire2str.c | 11 +++++++++++ + 2 files changed, 14 insertions(+) + +diff --git a/sldns/wire2str.c b/sldns/wire2str.c +index 6a177ec..b70efe2 100644 +--- a/sldns/wire2str.c ++++ b/sldns/wire2str.c +@@ -817,6 +817,7 @@ int sldns_wire2str_dname_scan(uint8_t** d, size_t* dlen, char** s, size_t* slen, + unsigned i, counter=0; + unsigned maxcompr = MAX_COMPRESS_PTRS; /* loop detection, max compr ptrs */ + int in_buf = 1; ++ size_t dname_len = 0; + if(comprloop) { + if(*comprloop != 0) + maxcompr = 30; /* for like ipv6 reverse name, per label */ +@@ -872,6 +873,16 @@ int sldns_wire2str_dname_scan(uint8_t** d, size_t* dlen, char** s, size_t* slen, + labellen = (uint8_t)*dlen; + else if(!in_buf && pos+(size_t)labellen > pkt+pktlen) + labellen = (uint8_t)(pkt + pktlen - pos); ++ dname_len += ((size_t)labellen)+1; ++ if(dname_len > LDNS_MAX_DOMAINLEN) { ++ /* dname_len counts the uncompressed length we have ++ * seen so far, and the domain name has become too ++ * long, prevent the loop from printing overly long ++ * content. */ ++ w += sldns_str_print(s, slen, ++ "ErrorDomainNameTooLong"); ++ return w; ++ } + for(i=0; i<(unsigned)labellen; i++) { + w += dname_char_print(s, slen, *pos++); + } +-- +1.8.3.1 + diff --git a/unbound.spec b/unbound.spec index 0e260a9..f72d5a4 100644 --- a/unbound.spec +++ b/unbound.spec @@ -2,7 +2,7 @@ Name: unbound Version: 1.11.0 -Release: 4 +Release: 5 Summary: Unbound is a validating, recursive, caching DNS resolver License: BSD Url: https://nlnetlabs.nl/projects/unbound/about/ @@ -24,7 +24,8 @@ Source13: unbound-anchor.service Patch0: CVE-2020-28935.patch Patch6000: unbound-remove-buildin-key.patch -Patch6001: backport-Fix-610-Undefine-shift-in-sldns_str2wire_hip_buf.patch +Patch6001: backport-fix-610-undefine-shift-in-sldns_str2wire_hip_buf.patch +Patch6002: backport-fix-for-611-integer-overflow-in-sldns_wire2str_pkt_s.patch BuildRequires: make flex swig pkgconfig systemd python-unversioned-command BuildRequires: libevent-devel expat-devel openssl-devel python3-devel @@ -231,6 +232,12 @@ popd %{_mandir}/man* %changelog +* Mon Feb 07 2022 jiangheng - 1.11.0-5 +- Type:bugfix +- ID:NA +- SUG:NA +- DESC:fix integer overflow in sldns_wire2str_pkt_scan + * Tue Jan 25 2022 jiangheng - 1.11.0-4 - Type:bugfix - ID:NA -- Gitee