4299. [bug] Check that exactly totallen bytes are read when

reading a RRset from raw files in both single read and incremental modes. [RT #41402]

4299. [bug] Check that exactly totallen bytes are read when
reading a RRset from raw files in both single read and incremental modes. [RT #41402]
1d383fd4 · Mark Andrews · 3ecc17d5 · 1d383fd4 · 1d383fd4
Commit 1d383fd4 authored Jan 21, 2016 by Mark Andrews
--- a/CHANGES
+++ b/CHANGES
+4299.	[bug]		Check that exactly totallen bytes are read when
+			reading a RRset from raw files in both single read
+			and incremental modes. [RT #41402]
+
 4298.	[bug]		dns_rpz_add errors in loadzone were not being
 			propogated up the call stack. [RT #41425]


--- a/lib/dns/master.c
+++ b/lib/dns/master.c
@@ -2112,12 +2112,18 @@ pushfile(const char *master_file, dns_name_t *origin, dns_loadctx_t *lctx) {
 	return (result);
 }

+/*
+ * Fill/check exists buffer with 'len' bytes.  Track remaining bytes to be
+ * read when incrementally filling the buffer.
+ */
 static inline isc_result_t
 read_and_check(isc_boolean_t do_read, isc_buffer_t *buffer,
-	       size_t len, FILE *f)
+	       size_t len, FILE *f, isc_uint32_t *totallen)
 {
 	isc_result_t result;

+	REQUIRE(totallen != NULL);
+
 	if (do_read) {
 		INSIST(isc_buffer_availablelength(buffer) >= len);
 		result = isc_stdio_read(isc_buffer_used(buffer), 1, len,
@@ -2125,6 +2131,9 @@ read_and_check(isc_boolean_t do_read, isc_buffer_t *buffer,
 		if (result != ISC_R_SUCCESS)
 			return (result);
 		isc_buffer_add(buffer, (unsigned int)len);
+		if (*totallen < len)
+			return (ISC_R_RANGE);
+		*totallen -= len;
 	} else if (isc_buffer_remaininglength(buffer) < len)
 		return (ISC_R_RANGE);

@@ -2340,6 +2349,7 @@ load_raw(dns_loadctx_t *lctx) {
 			goto cleanup;
 		isc_buffer_add(&target, sizeof(totallen));
 		totallen = isc_buffer_getuint32(&target);
+
 		/*
 		 * Validation: the input data must at least contain the common
 		 * header.
@@ -2381,6 +2391,7 @@ load_raw(dns_loadctx_t *lctx) {
 		if (result != ISC_R_SUCCESS)
 			goto cleanup;
 		isc_buffer_add(&target, (unsigned int)readlen);
+		totallen -= readlen;

 		/* Construct RRset headers */
 		dns_rdatalist_init(&rdatalist);
@@ -2401,7 +2412,7 @@ load_raw(dns_loadctx_t *lctx) {

 		/* Owner name: length followed by name */
 		result = read_and_check(sequential_read, &target,
-					sizeof(namelen), lctx->f);
+					sizeof(namelen), lctx->f, &totallen);
 		if (result != ISC_R_SUCCESS)
 			goto cleanup;
 		namelen = isc_buffer_getuint16(&target);
@@ -2411,7 +2422,7 @@ load_raw(dns_loadctx_t *lctx) {
 		}

 		result = read_and_check(sequential_read, &target, namelen,
-					lctx->f);
+					lctx->f, &totallen);
 		if (result != ISC_R_SUCCESS)
 			goto cleanup;

@@ -2481,14 +2492,15 @@ load_raw(dns_loadctx_t *lctx) {

 			/* rdata length */
 			result = read_and_check(sequential_read, &target,
-						sizeof(rdlen), lctx->f);
+						sizeof(rdlen), lctx->f,
+						&totallen);
 			if (result != ISC_R_SUCCESS)
 				goto cleanup;
 			rdlen = isc_buffer_getuint16(&target);

 			/* rdata */
 			result = read_and_check(sequential_read, &target,
-						rdlen, lctx->f);
+						rdlen, lctx->f, &totallen);
 			if (result != ISC_R_SUCCESS)
 				goto cleanup;
 			isc_buffer_setactive(&target, (unsigned int)rdlen);
@@ -2514,7 +2526,7 @@ load_raw(dns_loadctx_t *lctx) {
 		 * necessarily critical, but it very likely indicates broken
 		 * or malformed data.
 		 */
-		if (isc_buffer_remaininglength(&target) != 0) {
+		if (isc_buffer_remaininglength(&target) != 0 || totallen != 0) {
 			result = ISC_R_RANGE;
 			goto cleanup;
 		}