From 0deee29113e5919c88f341ec3a181b70f7c905cc Mon Sep 17 00:00:00 2001
From: Mark Andrews <marka@isc.org>
Date: Mon, 26 Feb 2007 01:51:43 +0000
Subject: [PATCH] 2147.   [bug]           libbind: remove potential buffer
 overflow from                         hmac_link.c. [RT #16437]

---
 CHANGES                  |  3 +++
 lib/bind/dst/hmac_link.c | 22 ++++++++++++++--------
 2 files changed, 17 insertions(+), 8 deletions(-)

diff --git a/CHANGES b/CHANGES
index 68b86732df..9d9d51dfdd 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,6 @@
+2147.	[bug]		libbind: remove potential buffer overflow from
+			hmac_link.c. [RT #16437]
+
 2146.	[cleanup]	Silence Linux's spurious "obsolete setsockopt
 			SO_BSDCOMPAT" message. [RT #16641]
 
diff --git a/lib/bind/dst/hmac_link.c b/lib/bind/dst/hmac_link.c
index 8d58bdec33..eca5f01353 100644
--- a/lib/bind/dst/hmac_link.c
+++ b/lib/bind/dst/hmac_link.c
@@ -1,6 +1,6 @@
 #ifdef HMAC_MD5
 #ifndef LINT
-static const char rcsid[] = "$Header: /u0/home/explorer/proj/ISC/git-conversion/cvsroot/bind9/lib/bind/dst/Attic/hmac_link.c,v 1.6 2006/03/09 23:57:56 marka Exp $";
+static const char rcsid[] = "$Header: /u0/home/explorer/proj/ISC/git-conversion/cvsroot/bind9/lib/bind/dst/Attic/hmac_link.c,v 1.7 2007/02/26 01:51:43 marka Exp $";
 #endif
 /*
  * Portions Copyright (c) 1995-1998 by Trusted Information Systems, Inc.
@@ -276,13 +276,18 @@ dst_hmac_md5_key_to_file_format(const DST_KEY *dkey, char *buff,
 			        const int buff_len)
 {
 	char *bp;
-	int len, b_len, i, key_len;
+	int len, i, key_len;
 	u_char key[HMAC_LEN];
 	HMAC_Key *hkey;
 
 	if (dkey == NULL || dkey->dk_KEY_struct == NULL) 
 		return (0);
-	if (buff == NULL || buff_len <= (int) strlen(key_file_fmt_str))
+	/*
+	 * Using snprintf() would be so much simpler here.
+	 */
+	if (buff == NULL ||
+	    buff_len <= (int)(strlen(key_file_fmt_str) +
+			      strlen(KEY_FILE_FORMAT) + 4))
 		return (-1);	/*%< no OR not enough space in output area */
 	hkey = (HMAC_Key *) dkey->dk_KEY_struct;
 	memset(buff, 0, buff_len);	/*%< just in case */
@@ -290,7 +295,6 @@ dst_hmac_md5_key_to_file_format(const DST_KEY *dkey, char *buff,
 	sprintf(buff, key_file_fmt_str, KEY_FILE_FORMAT, KEY_HMAC_MD5, "HMAC");
 
 	bp = buff + strlen(buff);
-	b_len = buff_len - (bp - buff);
 
 	memset(key, 0, HMAC_LEN);
 	for (i = 0; i < HMAC_LEN; i++)
@@ -300,19 +304,21 @@ dst_hmac_md5_key_to_file_format(const DST_KEY *dkey, char *buff,
 			break;
 	key_len = i + 1;
 
+	if (buff_len - (bp - buff) < 6)
+		return (-1);
 	strcat(bp, "Key: ");
 	bp += strlen("Key: ");
-	b_len = buff_len - (bp - buff);
 
-	len = b64_ntop(key, key_len, bp, b_len);
+	len = b64_ntop(key, key_len, bp, buff_len - (bp - buff));
 	if (len < 0) 
 		return (-1);
 	bp += len;
+	if (buff_len - (bp - buff) < 2)
+		return (-1);
 	*(bp++) = '\n';
 	*bp = '\0';
-	b_len = buff_len - (bp - buff);
 
-	return (buff_len - b_len);
+	return (bp - buff);
 }