Silence use of tainted scalar

2607 43. tainted_argument: Calling function journal_read_xhdr taints argument xhdr.size. [show details] 2608 result = journal_read_xhdr(j1, &xhdr); 44. Condition rewrite, taking true branch. 45. Condition result == 29, taking false branch. 2609 if (rewrite && result == ISC_R_NOMORE) { 2610 break; 2611 } 46. Condition result != 0, taking false branch. 2612 CHECK(result); 2613 47. var_assign_var: Assigning: size = xhdr.size. Both are now tainted. 2614 size = xhdr.size; CID 331088 (#3 of 3): Untrusted allocation size (TAINTED_SCALAR) 48. tainted_data: Passing tainted expression size to isc__mem_get, which uses it as an allocation size. [show details] Ensure that tainted values are properly sanitized, by checking that their values are within a permissible range. 2615 buf = isc_mem_get(mctx, size);
2025-08-31 14:35:26 +00:00 · 2021-07-07 12:09:31 +10:00
parent d7aa979a6c
commit 83fd38dd2c
1 changed files with 17 additions and 0 deletions
--- a/lib/dns/journal.c
+++ b/lib/dns/journal.c
@@ -2613,6 +2613,14 @@ dns_journal_compact(isc_mem_t *mctx, char *filename, uint32_t serial,
 			CHECK(result);

 			size = xhdr.size;
+			if (size > len) {
+				isc_log_write(JOURNAL_COMMON_LOGARGS,
+					      ISC_LOG_ERROR,
+					      "%s: journal file corrupt, "
+					      "transaction too large",
+					      j1->filename);
+				CHECK(ISC_R_FAILURE);
+			}
 			buf = isc_mem_get(mctx, size);
 			result = journal_read(j1, buf, size);

@@ -2637,6 +2645,15 @@ dns_journal_compact(isc_mem_t *mctx, char *filename, uint32_t serial,
 				/* Check again */
 				isc_mem_put(mctx, buf, size);
 				size = xhdr.size;
+				if (size > len) {
+					isc_log_write(
+						JOURNAL_COMMON_LOGARGS,
+						ISC_LOG_ERROR,
+						"%s: journal file corrupt, "
+						"transaction too large",
+						j1->filename);
+					CHECK(ISC_R_FAILURE);
+				}
 				buf = isc_mem_get(mctx, size);
 				CHECK(journal_read(j1, buf, size));