CID 432231: Insecure data handling (TAINTED_SCALAR) in lib/dns/message.c
@artem @ondrej Coverity Scan reports insecure data handling in lib/dns/message.c
:
*** CID 432231: Insecure data handling (TAINTED_SCALAR)
/lib/dns/message.c: 1689 in dns_message_parse()
1683
1684 msg->header_ok = 1;
1685 msg->state = DNS_SECTION_QUESTION;
1686
1687 dctx = DNS_DECOMPRESS_ALWAYS;
1688
>>> CID 432231: Insecure data handling (TAINTED_SCALAR)
>>> Passing tainted expression "msg->counts" to "getquestions", which uses it as a loop boundary.
1689 ret = getquestions(source, msg, dctx, options);
1690 if (ret == ISC_R_UNEXPECTEDEND && ignore_tc) {
1691 goto truncated;
1692 }
1693 if (ret == DNS_R_RECOVERABLE) {
1694 seen_problem = true;
94e650ce of !7235 (merged) seems to be the cuprit here.
There's also:
*** CID 432230: (TAINTED_SCALAR)
/lib/ns/client.c: 1916 in ns__client_request()
1910 NS_LOGMODULE_CLIENT, ISC_LOG_DEBUG(1),
1911 "message parsing failed: %s",
1912 isc_result_totext(result));
1913 if (result == ISC_R_NOSPACE || result == DNS_R_BADTSIG) {
1914 result = DNS_R_FORMERR;
1915 }
>>> CID 432230: (TAINTED_SCALAR)
>>> Passing tainted expression "client->message" to "ns_client_error", which uses it as an offset.
1916 ns_client_error(client, result);
1917 return;
1918 }
1919
1920 dns_opcodestats_increment(client->manager->sctx->opcodestats,
1921 client->message->opcode);
/lib/ns/client.c: 1916 in ns__client_request()
1910 NS_LOGMODULE_CLIENT, ISC_LOG_DEBUG(1),
1911 "message parsing failed: %s",
1912 isc_result_totext(result));
1913 if (result == ISC_R_NOSPACE || result == DNS_R_BADTSIG) {
1914 result = DNS_R_FORMERR;
1915 }
>>> CID 432230: (TAINTED_SCALAR)
>>> Passing tainted expression "client->message" to "ns_client_error", which uses it as a loop boundary.
1916 ns_client_error(client, result);
1917 return;
1918 }
1919
1920 dns_opcodestats_increment(client->manager->sctx->opcodestats,
1921 client->message->opcode);
It also leads to isc_buffer_getuint16()
of lib/isc/include/isc/buffer.h
.