Fix out of bounds access in DHCID totext() method (#46001)

(cherry picked from commit 98998f3ddd) (cherry picked from commit 027a4a5b5d)
2017-09-19 19:30:28 +05:30
parent aaf04460a0
commit 71a86a75d9
2 changed files with 7 additions and 3 deletions
--- a/3
+++ b/3
@@ -1,3 +1,6 @@
+4780.	[bug]		Fix out of bounds access in DHCID totext() method.
+			[RT #46001]
+
 4729.	[bug]		Don't use memset() to wipe memory, as it may be
 			removed by compiler optimizations when the
 			memset() occurs on automatic stack allocation
--- a/lib/dns/rdata/in_1/dhcid_49.c
+++ b/lib/dns/rdata/in_1/dhcid_49.c
@@ -40,7 +40,7 @@ fromtext_in_dhcid(ARGS_FROMTEXT) {

 static inline isc_result_t
 totext_in_dhcid(ARGS_TOTEXT) {
-	isc_region_t sr;
+	isc_region_t sr, sr2;
 	char buf[sizeof(" ; 64000 255 64000")];
 	size_t n;

@@ -49,6 +49,7 @@ totext_in_dhcid(ARGS_TOTEXT) {
 	REQUIRE(rdata->length != 0);

 	dns_rdata_toregion(rdata, &sr);
+	sr2 = sr;

 	if ((tctx->flags & DNS_STYLEFLAG_MULTILINE) != 0)
 		RETERR(str_totext("( " /*)*/, target));
@@ -61,8 +62,8 @@ totext_in_dhcid(ARGS_TOTEXT) {
 		RETERR(str_totext(/* ( */ " )", target));
 		if (rdata->length > 2) {
 			n = snprintf(buf, sizeof(buf), " ; %u %u %u",
-				     sr.base[0] * 256 + sr.base[1],
-				     sr.base[2], rdata->length - 3);
+				     sr2.base[0] * 256 + sr2.base[1],
+				     sr2.base[2], rdata->length - 3);
 			INSIST(n < sizeof(buf));
 			RETERR(str_totext(buf, target));
 		}