Corrupted zone is not always refused with error
Summary
Broken zone file is not always refused with error.
BIND version used
BIND 9.11.5-RedHat-9.11.5-2.fc29 (Extended Support Version) <id:3b0b204>
running on Linux x86_64 4.19.14-300.fc29.x86_64 #1 SMP Wed Jan 9 21:30:35 UTC 2019
built by make with '--build=x86_64-redhat-linux-gnu' '--host=x86_64-redhat-linux-gnu' '--program-prefix=' '--disable-dependency-tracking' '--prefix=/usr' '--exec-prefix=/usr' '--bindir=/usr/bin' '--sbindir=/usr/sbin' '--sysconfdir=/etc' '--datadir=/usr/share' '--includedir=/usr/include' '--libdir=/usr/lib64' '--libexecdir=/usr/libexec' '--sharedstatedir=/var/lib' '--mandir=/usr/share/man' '--infodir=/usr/share/info' '--with-python=/usr/bin/python3' '--with-libtool' '--localstatedir=/var' '--enable-threads' '--enable-ipv6' '--enable-filter-aaaa' '--with-pic' '--disable-static' '--includedir=/usr/include/bind9' '--with-tuning=large' '--with-geoip' '--with-libidn2' '--enable-openssl-hash' '--enable-native-pkcs11' '--with-pkcs11=/usr/lib64/pkcs11/libsofthsm2.so' '--with-dlopen=yes' '--with-dlz-ldap=yes' '--with-dlz-postgres=yes' '--with-dlz-mysql=yes' '--with-dlz-filesystem=yes' '--with-dlz-bdb=yes' '--with-gssapi=yes' '--disable-isc-spnego' '--with-lmdb=yes' '--with-libjson' '--enable-dnstap' '--with-atf=/usr' '--enable-fixed-rrset' '--with-docbook-xsl=/usr/share/sgml/docbook/xsl-stylesheets' '--enable-full-report' 'build_alias=x86_64-redhat-linux-gnu' 'host_alias=x86_64-redhat-linux-gnu' 'CFLAGS= -O2 -g -pipe -Wall -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -Wp,-D_GLIBCXX_ASSERTIONS -fexceptions -fstack-protector-strong -grecord-gcc-switches -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -specs=/usr/lib/rpm/redhat/redhat-annobin-cc1 -m64 -mtune=generic -fasynchronous-unwind-tables -fstack-clash-protection -fcf-protection' 'LDFLAGS=-Wl,-z,relro -Wl,-z,now -specs=/usr/lib/rpm/redhat/redhat-hardened-ld' 'CPPFLAGS= -DDIG_SIGCHASE'
compiled by GCC 8.2.1 20181011 (Red Hat 8.2.1-4)
compiled with OpenSSL version: OpenSSL 1.1.1 FIPS 11 Sep 2018
linked to OpenSSL version: OpenSSL 1.1.1 FIPS 11 Sep 2018
compiled with libxml2 version: 2.9.8
linked to libxml2 version: 20908
compiled with libjson-c version: 0.13.1
linked to libjson-c version: 0.13.1
compiled with zlib version: 1.2.11
linked to zlib version: 1.2.11
threads support is enabled
Steps to reproduce
when header->first_node_offset is greater than filesize, computed offset is outside memory mapped range.
What is the current bug behavior?
it loads the file but fail when interpreting it.
What is the expected correct behavior?
Should reject file as invalid.
Relevant configuration files
none. ju
Relevant logs and/or screenshots
no configuration required, just unit test with a bit of luck or reliable reproducer.
Discovered by running unit tests, which do corrupt the file at random.
$ kyua test rbt_serialize_test
rbt_serialize_test:deserialize_corrupt -> broken: Premature exit; test case received signal 11 (core dumped) [0.644s]
rbt_serialize_test:serialize -> passed [0.027s]
rbt_serialize_test:serialize_align -> passed [0.017s]
Possible fixes
(If you can, link to the line of code that might be responsible for the problem.) 0001-Reproducer-for-crash-in-serialize_test.patch
0002-Fix-possible-crash-when-loading-corrupted-file.patch
I think specially crafted file could crash named, but I assume binary zones are not usually obtained from trusted sources. Anyway, leaving up to you if this should be public issue or not. Feel free to switch it public.