mir/bind
2
0
Fork 0
mirror of https://gitlab.isc.org/isc-projects/bind9 synced 2025-08-29 13:38:26 +00:00
Code Issues Releases Wiki Activity

Silence Untrusted value as argument (TAINTED_SCALAR)

Browse Source 
Coverity assumes that the memory holding any value read using byte
swapping is tainted.  As we store the NSEC3 records in wire form
and iterations is byte swapped the memory holding the record is
marked as tainted.  nsec3->salt_length and nsec3->next_length are
marked as tainted transitively. To remove the taint the values need
to be range checked.  Valid values for these should never exceed
region.length so that is becomes a reasonable value to check against.

    *** CID 316509:    (TAINTED_SCALAR)
    /lib/dns/rdata/generic/nsec3_50.c: 312 in tostruct_nsec3()
    306     	if (nsec3->salt == NULL) {
    307     		return (ISC_R_NOMEMORY);
    308     	}
    309     	isc_region_consume(&region, nsec3->salt_length);
    310
    311     	nsec3->next_length = uint8_consume_fromregion(&region);
    >>>     CID 316509:    (TAINTED_SCALAR)
    >>>     Passing tainted expression "nsec3->next_length" to "mem_maybedup", which uses it as an offset.
    312     	nsec3->next = mem_maybedup(mctx, region.base, nsec3->next_length);
    313     	if (nsec3->next == NULL) {
    314     		goto cleanup;
    315     	}
    316     	isc_region_consume(&region, nsec3->next_length);
    317
    /lib/dns/rdata/generic/nsec3_50.c: 305 in tostruct_nsec3()
    299     	region.length = rdata->length;
    300     	nsec3->hash = uint8_consume_fromregion(&region);
    301     	nsec3->flags = uint8_consume_fromregion(&region);
    302     	nsec3->iterations = uint16_consume_fromregion(&region);
    303
    304     	nsec3->salt_length = uint8_consume_fromregion(&region);
    >>>     CID 316509:    (TAINTED_SCALAR)
    >>>     Passing tainted expression "nsec3->salt_length" to "mem_maybedup", which uses it as an offset.
    305     	nsec3->salt = mem_maybedup(mctx, region.base, nsec3->salt_length);
    306     	if (nsec3->salt == NULL) {
    307     		return (ISC_R_NOMEMORY);
    308     	}
    309     	isc_region_consume(&region, nsec3->salt_length);
    310
This commit is contained in:
Mark Andrews 2021-01-27 17:11:52 +11:00
parent 698d6372aa
commit fd8d1337a5
1 changed files with 2 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
lib/dns/rdata/generic/nsec3_50.c
View File

@ -302,6 +302,7 @@ tostruct_nsec3(ARGS_TOSTRUCT) {
nsec3->iterations = uint16_consume_fromregion(&region);
nsec3->salt_length = uint8_consume_fromregion(&region);
INSIST(nsec3->salt_length <= region.length);
nsec3->salt = mem_maybedup(mctx, region.base, nsec3->salt_length);
if (nsec3->salt == NULL) {
return (ISC_R_NOMEMORY);
@ -309,6 +310,7 @@ tostruct_nsec3(ARGS_TOSTRUCT) {
isc_region_consume(&region, nsec3->salt_length);
nsec3->next_length = uint8_consume_fromregion(&region);
INSIST(nsec3->next_length <= region.length);
nsec3->next = mem_maybedup(mctx, region.base, nsec3->next_length);
if (nsec3->next == NULL) {
goto cleanup;