mir/bind
2
0
Fork 0
mirror of https://gitlab.isc.org/isc-projects/bind9 synced 2025-09-02 23:55:27 +00:00
Code Issues Releases Wiki Activity

remove the use of abs(), which could have led to false positives because of

Browse Source 
64 to 32 bit truncation.
This commit is contained in:
Brian Wellington
2001-01-16 22:47:56 +00:00
parent 1da54a3de9
commit 564c1b8f42
1 changed files with 19 additions and 17 deletions
Download Patch File Download Diff File Expand all files Collapse all files

36
lib/dns/tsig.c
View File

@@ -16,12 +16,11 @@
*/ */
/* /*
* $Id: tsig.c,v 1.103 2001/01/11 21:07:21 gson Exp $ * $Id: tsig.c,v 1.104 2001/01/16 22:47:56 bwelling Exp $
* Principal Author: Brian Wellington
*/ */
#include <config.h> #include <config.h>
#include <stdlib.h> /* Required for abs(). */ #include <stdlib.h>
#include <isc/buffer.h> #include <isc/buffer.h>
#include <isc/mem.h> #include <isc/mem.h>
@@ -729,14 +728,13 @@ dns_tsig_verify(isc_buffer_t *source, dns_message_t *msg,
/* /*
* Is the time ok? * Is the time ok?
*/ */
if (abs(now + msg->timeadjust - tsig.timesigned) > tsig.fudge) { if (now + msg->timeadjust > tsig.timesigned + tsig.fudge) {
msg->tsigstatus = dns_tsigerror_badtime; msg->tsigstatus = dns_tsigerror_badtime;
if (now + msg->timeadjust > tsig.timesigned + tsig.fudge) tsig_log(msg->tsigkey, 2, "signature has expired");
tsig_log(msg->tsigkey, 2, return (DNS_R_TSIGVERIFYFAILURE);
"signature has expired"); } else if (now + msg->timeadjust < tsig.timesigned - tsig.fudge) {
else msg->tsigstatus = dns_tsigerror_badtime;
tsig_log(msg->tsigkey, 2, tsig_log(msg->tsigkey, 2, "signature is in the future");
"signature is in the future");
return (DNS_R_TSIGVERIFYFAILURE); return (DNS_R_TSIGVERIFYFAILURE);
} }
@@ -952,15 +950,19 @@ tsig_verify_tcp(isc_buffer_t *source, dns_message_t *msg) {
* Is the time ok? * Is the time ok?
*/ */
isc_stdtime_get(&now); isc_stdtime_get(&now);
if (abs(now - tsig.timesigned) > tsig.fudge) {
if (now + msg->timeadjust > tsig.timesigned + tsig.fudge) {
msg->tsigstatus = dns_tsigerror_badtime; msg->tsigstatus = dns_tsigerror_badtime;
tsig_log(msg->tsigkey, 2, "signature has expired");
ret = DNS_R_TSIGVERIFYFAILURE;
goto cleanup_querystruct;
} else if (now + msg->timeadjust <
tsig.timesigned - tsig.fudge)
{
msg->tsigstatus = dns_tsigerror_badtime;
tsig_log(msg->tsigkey, 2,
"signature is in the future");
ret = DNS_R_TSIGVERIFYFAILURE; ret = DNS_R_TSIGVERIFYFAILURE;
if (now > tsig.timesigned + tsig.fudge)
tsig_log(msg->tsigkey, 2,
"signature has expired");
else
tsig_log(msg->tsigkey, 2,
"signature is in the future");
goto cleanup_querystruct; goto cleanup_querystruct;
} }
} }