4354. [bug] Check that the received HMAC length matches the

expected length prior to check the contents on the control channel. This prevents a OOB read error. [RT #42215]
2025-08-30 22:15:20 +00:00 · 2016-05-05 14:19:37 +10:00
parent 006283c423
commit 402c63495c
2 changed files with 20 additions and 2 deletions
--- a/5
+++ b/5
@@ -1,3 +1,8 @@
+4354.	[bug]		Check that the received HMAC length matches the
+			expected length prior to check the contents on the
+			control channel.  This prevents a OOB read error.
+			[RT #42215]
+
 4353.	[cleanup]	Update PKCS#11 header files. [RT #42175]

 4352.	[cleanup]	The ISC DNSSEC Lookaside Validation (DLV) service
--- a/lib/isccc/cc.c
+++ b/lib/isccc/cc.c
@@ -503,16 +503,29 @@ verify(isccc_sexpr_t *alist, unsigned char *data, unsigned int length,
 	 * Verify.
 	 */
 	if (algorithm == ISCCC_ALG_HMACMD5) {
+		isccc_region_t *region;
 		unsigned char *value;

-		value = (unsigned char *) isccc_sexpr_tostring(hmac);
+		region = isccc_sexpr_tobinary(hmac);
+		if ((region->rend - region->rstart) != HMD5_LENGTH)
+			return (ISCCC_R_BADAUTH);
+		value = region->rstart;
 		if (!isc_safe_memequal(value, digestb64, HMD5_LENGTH))
 			return (ISCCC_R_BADAUTH);
 	} else {
+		isccc_region_t *region;
 		unsigned char *value;
 		isc_uint32_t valalg;

-		value = (unsigned char *) isccc_sexpr_tostring(hmac);
+		region = isccc_sexpr_tobinary(hmac);
+
+		/*
+		 * Note: with non-MD5 algorithms, there's an extra octet
+		 * to identify which algorithm is in use.
+		 */
+		if ((region->rend - region->rstart) != HSHA_LENGTH + 1)
+			return (ISCCC_R_BADAUTH);
+		value = region->rstart;
 		GET8(valalg, value);
 		if ((valalg != algorithm) ||
 		    !isc_safe_memequal(value, digestb64, HSHA_LENGTH))