Skip to content

GitLab

  • Projects
  • Groups
  • Snippets
  • Help
    • Loading...
  • Help
    • Help
    • Support
    • Community forum
    • Submit feedback
    • Contribute to GitLab
  • Sign in / Register
BIND
BIND
  • Project overview
    • Project overview
    • Details
    • Activity
    • Releases
  • Repository
    • Repository
    • Files
    • Commits
    • Branches
    • Tags
    • Contributors
    • Graph
    • Compare
  • Issues 635
    • Issues 635
    • List
    • Boards
    • Labels
    • Service Desk
    • Milestones
  • Merge Requests 121
    • Merge Requests 121
  • CI/CD
    • CI/CD
    • Pipelines
    • Jobs
    • Schedules
  • Operations
    • Operations
    • Incidents
    • Environments
  • Packages & Registries
    • Packages & Registries
    • Container Registry
  • Analytics
    • Analytics
    • CI/CD
    • Repository
    • Value Stream
  • Wiki
    • Wiki
  • Snippets
    • Snippets
  • Members
    • Members
  • Activity
  • Graph
  • Create a new issue
  • Jobs
  • Commits
  • Issue Boards
Collapse sidebar
  • ISC Open Source Projects
  • BINDBIND
  • Issues
  • #411

Closed
Open
Created Jul 12, 2018 by Bill Parker@dogbert2

Possible Misuse of sizeof() in BIND-9.12.1-P2 (CWE-467)

Summary

In directory 'isc/dns', file 'openssldh_link.c', in function 'openssldh_tofile', there appears to be a possible misuse of sizeof for bufs which is declared:

unsigned char *bufs[4];

Here is the code snippet:

static isc_result_t
openssldh_tofile(const dst_key_t *key, const char *directory) {
        int i;
        DH *dh;
        const BIGNUM *pub_key = NULL, *priv_key = NULL, *p = NULL, *g = NULL;
        dst_private_t priv;
        unsigned char *bufs[4];
        isc_result_t result;

        if (key->keydata.dh == NULL)
                return (DST_R_NULLKEY);

        if (key->external)
                return (DST_R_EXTERNALKEY);

        dh = key->keydata.dh;
        DH_get0_key(dh, &pub_key, &priv_key);
        DH_get0_pqg(dh, &p, NULL, &g);

        memset(bufs, 0, sizeof(bufs));

Steps to reproduce

N/A

What is the current bug behavior?

Possible Misuse of sizeof()

What is the expected correct behavior?

Here is an example of a test program:

bill@snoopy:~$ cat test.c
#include 

int main()
{
        unsigned char *buf[4];
        printf("size of buf is: %zu\n", sizeof(buf));
        printf("size of *buf is: %zu\n", sizeof(*buf));
        return 0;
}

which produces the output below:

bill@snoopy:~$ gcc -Wall test.c       
bill@snoopy:~$ ./a.out
size of buf is: 32
size of *buf is: 8

Relevant configuration files

N/A

Relevant logs and/or screenshots

N/A

Possible fixes

https://cwe.mitre.org/data/definitions/467.html

Should the call to memset be:

memset(bufs, 0, sizeof(*bufs));

instead?

Edited Jul 12, 2018 by Mark Andrews
Assignee
Assign to
None
Milestone
None
Assign milestone
Time tracking
None
Due date
None