Merge branch '3191-issue-45178-in-oss-fuzz-bind9-dns_master_load_fuzzer-integer-overflow-in-generate' into 'main'

Resolve "Issue 45178 in oss-fuzz: bind9:dns_master_load_fuzzer: Integer-overflow in generate"

Closes #3191

See merge request isc-projects/bind9!5928

bin/tests/system/checkzone/tests.sh

@@ -29,9 +29,9 @@ do
 		$CHECKZONE -i local example $db > test.out.$n 2>&1 || ret=1
 		;;
 	esac
-	n=`expr $n + 1`
+	n=$((n+1))
 	if [ $ret != 0 ]; then echo_i "failed"; fi
-	status=`expr $status + $ret`
+	status=$((status+ret))
 done
 
 for db in zones/bad*.db
@@ -47,9 +47,9 @@ do
 		;;
 	esac
 	test $v = 1 || ret=1
-	n=`expr $n + 1`
+	n=$((n+1))
 	if [ $ret != 0 ]; then echo_i "failed"; fi
-	status=`expr $status + $ret`
+	status=$((status+ret))
 done
 
 echo_i "checking with journal file ($n)"
@@ -57,16 +57,16 @@ ret=0
 $CHECKZONE -D -o test.orig.db test zones/test1.db > /dev/null 2>&1 || ret=1
 $CHECKZONE -D -o test.changed.db test zones/test2.db > /dev/null 2>&1 || ret=1
 $MAKEJOURNAL test test.orig.db test.changed.db test.orig.db.jnl 2>&1 || ret=1
-jlines=`$JOURNALPRINT test.orig.db.jnl | wc -l`
+jlines=$($JOURNALPRINT test.orig.db.jnl | wc -l)
 [ $jlines = 3 ] || ret=1
 $CHECKZONE -D -j -o test.out1.db test test.orig.db > /dev/null 2>&1 || ret=1
 cmp -s test.changed.db test.out1.db || ret=1
 mv -f test.orig.db.jnl test.journal
 $CHECKZONE -D -J test.journal -o test.out2.db test test.orig.db > /dev/null 2>&1 || ret=1
 cmp -s test.changed.db test.out2.db || ret=1
-n=`expr $n + 1`
+n=$((n+1))
 if [ $ret != 0 ]; then echo_i "failed"; fi
-status=`expr $status + $ret`
+status=$((status+ret))
 
 echo_i "checking with spf warnings ($n)"
 ret=0
@@ -78,57 +78,57 @@ grep "'example' found type SPF" test.out1.$n > /dev/null && ret=1
 grep "'x.example' found type SPF" test.out2.$n > /dev/null && ret=1
 grep "'y.example' found type SPF" test.out2.$n > /dev/null && ret=1
 grep "'example' found type SPF" test.out2.$n > /dev/null && ret=1
-n=`expr $n + 1`
+n=$((n+1))
 if [ $ret != 0 ]; then echo_i "failed"; fi
-status=`expr $status + $ret`
+status=$((status+ret))
 
 echo_i "checking with max ttl (text) ($n)"
 ret=0
 $CHECKZONE -l 300 example zones/good1.db > test.out1.$n 2>&1 && ret=1
 $CHECKZONE -l 600 example zones/good1.db > test.out2.$n 2>&1 || ret=1
-n=`expr $n + 1`
+n=$((n+1))
 if [ $ret != 0 ]; then echo_i "failed"; fi
-status=`expr $status + $ret`
+status=$((status+ret))
 
 echo_i "checking with max ttl (raw) ($n)"
 ret=0
 $CHECKZONE -f raw -l 300 example good1.db.raw > test.out1.$n 2>&1 && ret=1
 $CHECKZONE -f raw -l 600 example good1.db.raw > test.out2.$n 2>&1 || ret=1
-n=`expr $n + 1`
+n=$((n+1))
 if [ $ret != 0 ]; then echo_i "failed"; fi
-status=`expr $status + $ret`
+status=$((status+ret))
 
 echo_i "checking for no 'inherited owner' warning on '\$INCLUDE file' with no new \$ORIGIN ($n)"
 ret=0
 $CHECKZONE example zones/nowarn.inherited.owner.db > test.out1.$n 2>&1 || ret=1
 grep "inherited.owner" test.out1.$n > /dev/null && ret=1
-n=`expr $n + 1`
+n=$((n+1))
 if [ $ret != 0 ]; then echo_i "failed"; fi
-status=`expr $status + $ret`
+status=$((status+ret))
 
 echo_i "checking for 'inherited owner' warning on '\$ORIGIN + \$INCLUDE file' ($n)"
 ret=0
 $CHECKZONE example zones/warn.inherit.origin.db > test.out1.$n 2>&1 || ret=1
 grep "inherited.owner" test.out1.$n > /dev/null || ret=1
-n=`expr $n + 1`
+n=$((n+1))
 if [ $ret != 0 ]; then echo_i "failed"; fi
-status=`expr $status + $ret`
+status=$((status+ret))
 
 echo_i "checking for 'inherited owner' warning on '\$INCLUDE file origin' ($n)"
 ret=0
 $CHECKZONE example zones/warn.inherited.owner.db > test.out1.$n 2>&1 || ret=1
 grep "inherited.owner" test.out1.$n > /dev/null || ret=1
-n=`expr $n + 1`
+n=$((n+1))
 if [ $ret != 0 ]; then echo_i "failed"; fi
-status=`expr $status + $ret`
+status=$((status+ret))
 
 echo_i "checking that raw zone with bad class is handled ($n)"
 ret=0
 $CHECKZONE -f raw example zones/bad-badclass.raw > test.out.$n 2>&1 && ret=1
 grep "failed: bad class" test.out.$n >/dev/null || ret=1
-n=`expr $n + 1`
+n=$((n+1))
 if [ $ret != 0 ]; then echo_i "failed"; fi
-status=`expr $status + $ret`
+status=$((status+ret))
 
 echo_i "checking that expirations that loop using serial arithmetic are handled ($n)"
 ret=0
@@ -155,47 +155,56 @@ test $ret -eq 1 || $CHECKZONE $q dyn.example.net zones/crashzone.db || ret=1
 test $ret -eq 1 || $CHECKZONE $q dyn.example.net zones/crashzone.db || ret=1
 test $ret -eq 1 || $CHECKZONE $q dyn.example.net zones/crashzone.db || ret=1
 test $ret -eq 1 || $CHECKZONE $q dyn.example.net zones/crashzone.db || ret=1
-n=`expr $n + 1`
+n=$((n+1))
 if [ $ret != 0 ]; then echo_i "failed"; fi
-status=`expr $status + $ret`
+status=$((status+ret))
 
 echo_i "checking that nameserver below DNAME is reported even with occulted address record present ($n)"
 ret=0
 $CHECKZONE example.com zones/ns-address-below-dname.db > test.out.$n 2>&1 && ret=1
 grep "is below a DNAME" test.out.$n >/dev/null || ret=1
-n=`expr $n + 1`
+n=$((n+1))
 if [ $ret != 0 ]; then echo_i "failed"; fi
-status=`expr $status + $ret`
+status=$((status+ret))
 
 echo_i "checking that delegating nameserver below DNAME is reported even with occulted address record present ($n)"
 ret=0
 $CHECKZONE example.com zones/delegating-ns-address-below-dname.db > test.out.$n 2>&1 || ret=1
 grep "is below a DNAME" test.out.$n >/dev/null || ret=1
-n=`expr $n + 1`
+n=$((n+1))
 if [ $ret != 0 ]; then echo_i "failed"; fi
-status=`expr $status + $ret`
+status=$((status+ret))
 
-n=`expr $n + 1`
+n=$((n+1))
 echo_i "checking that named-compilezone works when reading input from stdin ($n)"
 ret=0
 # Step 1: take raw input from stdin and convert it to text/relative format.
 # Last argument "-" is optional, but it says more explicitly that we're reading from stdin.
 cat zones/zone1.db | ./named-compilezone -f text -F text -s relative \
         -o zones/zone1_stdin.txt zone1.com - > /dev/null || ret=1
-status=`expr $status + $ret`
+status=$((status+ret))
 
 ret=0
 # Step 2: take raw input from file and convert it to text format.
 ./named-compilezone -f text -F text -s relative -o zones/zone1_file.txt \
         zone1.com zones/zone1.db > /dev/null || ret=1
-status=`expr $status + $ret`
+status=$((status+ret))
 
 ret=0
 # Step 3: Ensure that output conversion from stdin is the same as the output conversion from a file.
 diff zones/zone1_file.txt zones/zone1_stdin.txt >/dev/null 2>&1 || ret=1
-status=`expr $status + $ret`
-
 if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+n=$((n+1))
+ret=0
+echo_i "checking integer overflow is prevented in \$GENERATE ($n)"
+$CHECKZONE -D example.com zones/generate-overflow.db > test.out.$n 2>&1 || ret=1
+lines=$(grep -c CNAME test.out.$n)
+echo $lines
+[ "$lines" -eq 1 ] || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
 
 echo_i "exit status: $status"
 [ $status -eq 0 ] || exit 1

bin/tests/system/checkzone/zones/generate-overflow.db

@@ -0,0 +1,17 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 600
+@		SOA	ns hostmaster 2011012708 3600 1200 604800 1200
+		NS	ns
+ns		A	192.0.2.1
+
+$GENERATE 19-28/2147483645	$ CNAME x

lib/dns/master.c

@@ -790,7 +790,8 @@ generate(dns_loadctx_t *lctx, char *range, char *lhs, char *gtype, char *rhs,
 	isc_buffer_t target;
 	isc_result_t result;
 	isc_textregion_t r;
-	int i, n, start, stop, step = 0;
+	int n, start, stop, step = 0;
+	unsigned int i;
 	dns_incctx_t *ictx;
 	char dummy[2];
 
@@ -845,7 +846,7 @@ generate(dns_loadctx_t *lctx, char *range, char *lhs, char *gtype, char *rhs,
 		goto insist_cleanup;
 	}
 
-	for (i = start; i <= stop; i += step) {
+	for (i = start; i <= (unsigned int)stop; i += step) {
 		result = genname(lhs, i, lhsbuf, DNS_MASTER_LHS);
 		if (result != ISC_R_SUCCESS) {
 			goto error_cleanup;