From 67f85d648fdf0e39d097c74dd8a401fe3f200411 Mon Sep 17 00:00:00 2001
From: Mark Andrews <marka@isc.org>
Date: Thu, 2 Jul 2020 13:26:06 +1000
Subject: [PATCH] Address overrun in remove_old_tsversions

If too many versions of log / dnstap files to be saved where requests
the memory after to_keep could be overwritten.  Force the number of
versions to be saved to a save level.  Additionally the memmove length
was incorrect.

(cherry picked from commit 6ca78bc57dece45029ee56a73161db7b68140286)
---
 lib/isc/log.c | 10 ++++++----
 1 file changed, 6 insertions(+), 4 deletions(-)

diff --git a/lib/isc/log.c b/lib/isc/log.c
index fcf387e94e..f43fb66978 100644
--- a/lib/isc/log.c
+++ b/lib/isc/log.c
@@ -1153,10 +1153,13 @@ remove_old_tsversions(isc_logfile_t *file, int versions) {
 	}
 
 	if (versions > 0) {
+		if (versions > ISC_LOG_MAX_VERSIONS) {
+			versions = ISC_LOG_MAX_VERSIONS;
+		}
 		/*
 		 * First we fill 'to_keep' structure using insertion sort
 		 */
-		memset(to_keep, 0, versions * sizeof(long long));
+		memset(to_keep, 0, sizeof(to_keep));
 		while (isc_dir_read(&dir) == ISC_R_SUCCESS) {
 			if (dir.entry.length > bnamelen &&
 			    strncmp(dir.entry.name, bname, bnamelen) == 0 &&
@@ -1173,9 +1176,8 @@ remove_old_tsversions(isc_logfile_t *file, int versions) {
 					if (i < versions) {
 						memmove(&to_keep[i + 1],
 							&to_keep[i],
-							sizeof(long long) *
-									versions -
-								i - 1);
+							sizeof(to_keep[0]) *
+							(versions - i - 1));
 						to_keep[i] = version;
 					}
 				}