From fd8d1337a53a68c5e3145dadec173674f2db0cfb Mon Sep 17 00:00:00 2001
From: Mark Andrews <marka@isc.org>
Date: Wed, 27 Jan 2021 17:11:52 +1100
Subject: [PATCH] Silence Untrusted value as argument (TAINTED_SCALAR)

Coverity assumes that the memory holding any value read using byte
swapping is tainted.  As we store the NSEC3 records in wire form
and iterations is byte swapped the memory holding the record is
marked as tainted.  nsec3->salt_length and nsec3->next_length are
marked as tainted transitively. To remove the taint the values need
to be range checked.  Valid values for these should never exceed
region.length so that is becomes a reasonable value to check against.

    *** CID 316509:    (TAINTED_SCALAR)
    /lib/dns/rdata/generic/nsec3_50.c: 312 in tostruct_nsec3()
    306     	if (nsec3->salt == NULL) {
    307     		return (ISC_R_NOMEMORY);
    308     	}
    309     	isc_region_consume(&region, nsec3->salt_length);
    310
    311     	nsec3->next_length = uint8_consume_fromregion(&region);
    >>>     CID 316509:    (TAINTED_SCALAR)
    >>>     Passing tainted expression "nsec3->next_length" to "mem_maybedup", which uses it as an offset.
    312     	nsec3->next = mem_maybedup(mctx, region.base, nsec3->next_length);
    313     	if (nsec3->next == NULL) {
    314     		goto cleanup;
    315     	}
    316     	isc_region_consume(&region, nsec3->next_length);
    317
    /lib/dns/rdata/generic/nsec3_50.c: 305 in tostruct_nsec3()
    299     	region.length = rdata->length;
    300     	nsec3->hash = uint8_consume_fromregion(&region);
    301     	nsec3->flags = uint8_consume_fromregion(&region);
    302     	nsec3->iterations = uint16_consume_fromregion(&region);
    303
    304     	nsec3->salt_length = uint8_consume_fromregion(&region);
    >>>     CID 316509:    (TAINTED_SCALAR)
    >>>     Passing tainted expression "nsec3->salt_length" to "mem_maybedup", which uses it as an offset.
    305     	nsec3->salt = mem_maybedup(mctx, region.base, nsec3->salt_length);
    306     	if (nsec3->salt == NULL) {
    307     		return (ISC_R_NOMEMORY);
    308     	}
    309     	isc_region_consume(&region, nsec3->salt_length);
    310
---
 lib/dns/rdata/generic/nsec3_50.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/lib/dns/rdata/generic/nsec3_50.c b/lib/dns/rdata/generic/nsec3_50.c
index 027f888a27..e1eab66d5a 100644
--- a/lib/dns/rdata/generic/nsec3_50.c
+++ b/lib/dns/rdata/generic/nsec3_50.c
@@ -302,6 +302,7 @@ tostruct_nsec3(ARGS_TOSTRUCT) {
 	nsec3->iterations = uint16_consume_fromregion(&region);
 
 	nsec3->salt_length = uint8_consume_fromregion(&region);
+	INSIST(nsec3->salt_length <= region.length);
 	nsec3->salt = mem_maybedup(mctx, region.base, nsec3->salt_length);
 	if (nsec3->salt == NULL) {
 		return (ISC_R_NOMEMORY);
@@ -309,6 +310,7 @@ tostruct_nsec3(ARGS_TOSTRUCT) {
 	isc_region_consume(&region, nsec3->salt_length);
 
 	nsec3->next_length = uint8_consume_fromregion(&region);
+	INSIST(nsec3->next_length <= region.length);
 	nsec3->next = mem_maybedup(mctx, region.base, nsec3->next_length);
 	if (nsec3->next == NULL) {
 		goto cleanup;