mir/bind
2
0
Fork 0
mirror of https://gitlab.isc.org/isc-projects/bind9 synced 2025-08-29 13:38:26 +00:00
Code Issues Releases Wiki Activity

Merge branch '4053-cid-453470-use-after-free-in-lib-ns-client-c' into 'main'

Browse Source 
Resolve "CID 453470: Use after free in lib/ns/client.c"

Closes #4053

See merge request isc-projects/bind9!7898
This commit is contained in:
Mark Andrews 2023-05-23 03:02:26 +00:00
commit b92d33a849
1 changed files with 2 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
lib/ns/client.c
View File

@ -1150,14 +1150,13 @@ compute_cookie(ns_client_t *client, uint32_t when, uint32_t nonce,
isc_netaddr_t netaddr; isc_netaddr_t netaddr;
unsigned char *cp; unsigned char *cp;
cp = isc_buffer_used(buf);
isc_buffer_putmem(buf, client->cookie, 8); isc_buffer_putmem(buf, client->cookie, 8);
isc_buffer_putuint8(buf, NS_COOKIE_VERSION_1); isc_buffer_putuint8(buf, NS_COOKIE_VERSION_1);
isc_buffer_putuint8(buf, 0); /* Reserved */ isc_buffer_putuint8(buf, 0); /* Reserved */
isc_buffer_putuint16(buf, 0); /* Reserved */ isc_buffer_putuint16(buf, 0); /* Reserved */
isc_buffer_putuint32(buf, when); isc_buffer_putuint32(buf, when);
memmove(input, cp, 16); memmove(input, (unsigned char *)isc_buffer_used(buf) - 16, 16);
isc_netaddr_fromsockaddr(&netaddr, &client->peeraddr); isc_netaddr_fromsockaddr(&netaddr, &client->peeraddr);
switch (netaddr.family) { switch (netaddr.family) {
@ -1185,11 +1184,10 @@ compute_cookie(ns_client_t *client, uint32_t when, uint32_t nonce,
unsigned char *cp; unsigned char *cp;
unsigned int i; unsigned int i;
cp = isc_buffer_used(buf);
isc_buffer_putmem(buf, client->cookie, 8); isc_buffer_putmem(buf, client->cookie, 8);
isc_buffer_putuint32(buf, nonce); isc_buffer_putuint32(buf, nonce);
isc_buffer_putuint32(buf, when); isc_buffer_putuint32(buf, when);
memmove(input, cp, 16); memmove(input, (unsigned char *)isc_buffer_used(buf) - 16, 16);
isc_aes128_crypt(secret, input, digest); isc_aes128_crypt(secret, input, digest);
for (i = 0; i < 8; i++) { for (i = 0; i < 8; i++) {
input[i] = digest[i] ^ digest[i + 8]; input[i] = digest[i] ^ digest[i + 8];