mir/bind
2
0
Fork 0
mirror of https://gitlab.isc.org/isc-projects/bind9 synced 2025-08-29 13:38:26 +00:00
Code Issues Releases Wiki Activity

Fix a stack buffer overflow in the statistics channel

Browse Source 
A long timestamp in an If-Modified-Since header could overflow a
fixed-size buffer.
This commit is contained in:
Tony Finch 2023-06-06 18:06:43 +01:00 committed by Ondřej Surý
parent bafb3f97c2
commit b22c87ca61
No known key found for this signature in database
GPG Key ID: 2820F37E873DEA41
2 changed files with 40 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

37
bin/tests/system/statschannel/tests.sh
View File

@ -74,8 +74,23 @@ loadkeys_on() {
status=0
n=1
echo_i "Prepare for if-modified-since test ($n)"
ret=0
i=0
if $FEATURETEST --have-libxml2 && [ -x "${CURL}" ] ; then
URL="http://10.53.0.3:${EXTRAPORT1}/bind9.xsl"
${CURL} --silent --show-error --fail --output bind9.xsl.1 $URL
ret=$?
else
echo_i "skipping test: requires libxml2 and curl"
fi
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status + ret))
n=$((n + 1))
echo_i "checking consistency between named.stats and xml/json ($n)"
ret=0
rm -f ns2/named.stats
$DIGCMD +tcp example ns > dig.out.$n || ret=1
$RNDCCMD 10.53.0.2 stats 2>&1 | sed 's/^/I:ns1 /'
@ -563,5 +578,27 @@ if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status + ret))
n=$((n + 1))
echo_i "Check if-modified-since works ($n)"
ret=0
if $FEATURETEST --have-libxml2 && [ -x "${CURL}" ] ; then
URL="http://10.53.0.3:${EXTRAPORT1}/bind9.xsl"
# ensure over-long time stamps are ignored
${CURL} --silent --show-error --fail --output bind9.xsl.2 $URL \
--header 'If-Modified-Since: 0123456789 0123456789 0123456789 0123456789 0123456789 0123456789'
if ! [ bind9.xsl.2 -nt bind9.xsl.1 ] ||
! ${CURL} --silent --show-error --fail \
--output bind9.xsl.3 $URL \
--time-cond bind9.xsl.1 ||
[ -f bind9.xsl.3 ]
then
ret=1
fi
else
echo_i "skipping test: requires libxml2 and curl"
fi
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status + ret))
n=$((n + 1))
echo_i "exit status: $status"
[ $status -eq 0 ] || exit 1

4
lib/isc/httpd.c
View File

@ -451,7 +451,9 @@ process_request(isc_httpd_t *httpd, size_t last_len) {
if (value_match(header, "deflate")) {
httpd->flags |= ACCEPT_DEFLATE;
}
} else if (name_match(header, "If-Modified-Since")) {
} else if (name_match(header, "If-Modified-Since") &&
header->value_len < ISC_FORMATHTTPTIMESTAMP_SIZE)
{
char timestamp[ISC_FORMATHTTPTIMESTAMP_SIZE + 1];
memmove(timestamp, header->value, header->value_len);
timestamp[header->value_len] = 0;