From 83fd38dd2ccf682fee117c389f17b2e0089e36aa Mon Sep 17 00:00:00 2001 From: Mark Andrews Date: Wed, 7 Jul 2021 12:09:31 +1000 Subject: [PATCH] Silence use of tainted scalar 2607 43. tainted_argument: Calling function journal_read_xhdr taints argument xhdr.size. [show details] 2608 result = journal_read_xhdr(j1, &xhdr); 44. Condition rewrite, taking true branch. 45. Condition result == 29, taking false branch. 2609 if (rewrite && result == ISC_R_NOMORE) { 2610 break; 2611 } 46. Condition result != 0, taking false branch. 2612 CHECK(result); 2613 47. var_assign_var: Assigning: size = xhdr.size. Both are now tainted. 2614 size = xhdr.size; CID 331088 (#3 of 3): Untrusted allocation size (TAINTED_SCALAR) 48. tainted_data: Passing tainted expression size to isc__mem_get, which uses it as an allocation size. [show details] Ensure that tainted values are properly sanitized, by checking that their values are within a permissible range. 2615 buf = isc_mem_get(mctx, size); --- lib/dns/journal.c | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) diff --git a/lib/dns/journal.c b/lib/dns/journal.c index 567692e7a4..f59855dd63 100644 --- a/lib/dns/journal.c +++ b/lib/dns/journal.c @@ -2613,6 +2613,14 @@ dns_journal_compact(isc_mem_t *mctx, char *filename, uint32_t serial, CHECK(result); size = xhdr.size; + if (size > len) { + isc_log_write(JOURNAL_COMMON_LOGARGS, + ISC_LOG_ERROR, + "%s: journal file corrupt, " + "transaction too large", + j1->filename); + CHECK(ISC_R_FAILURE); + } buf = isc_mem_get(mctx, size); result = journal_read(j1, buf, size); @@ -2637,6 +2645,15 @@ dns_journal_compact(isc_mem_t *mctx, char *filename, uint32_t serial, /* Check again */ isc_mem_put(mctx, buf, size); size = xhdr.size; + if (size > len) { + isc_log_write( + JOURNAL_COMMON_LOGARGS, + ISC_LOG_ERROR, + "%s: journal file corrupt, " + "transaction too large", + j1->filename); + CHECK(ISC_R_FAILURE); + } buf = isc_mem_get(mctx, size); CHECK(journal_read(j1, buf, size));