Attempt to silence untrusted loop bound (!4661) · Merge requests · ISC Open Source Projects / BIND

Mark Andrews requested to merge 2469-cid-281461-untrusted-loop-bound-v9_16 into v9_16 Feb 08, 2021

Assign hit_len + key_len to len and test the result rather than recomputing and letting the compiler simplify.

213        isc_region_consume(&region, 2); /* hit length + algorithm */
    9. tainted_return_value: Function uint16_fromregion returns tainted data. [show details]
    10. tainted_data_transitive: Call to function uint16_fromregion with tainted argument *region.base returns tainted data.
    11. tainted_return_value: Function uint16_fromregion returns tainted data.
    12. tainted_data_transitive: Call to function uint16_fromregion with tainted argument *region.base returns tainted data.
    13. var_assign: Assigning: key_len = uint16_fromregion(&region), which taints key_len.
214        key_len = uint16_fromregion(&region);
    14. lower_bounds: Casting narrower unsigned key_len to wider signed type int effectively tests its lower bound.
    15. Condition key_len == 0, taking false branch.
215        if (key_len == 0) {
216                RETERR(DNS_R_FORMERR);
217        }
    16. Condition !!(_r->length >= _l), taking true branch.
    17. Condition !!(_r->length >= _l), taking true branch.
218        isc_region_consume(&region, 2);
    18. lower_bounds: Casting narrower unsigned key_len to wider signed type int effectively tests its lower bound.
    19. Condition region.length < (unsigned int)(hit_len + key_len), taking false branch.
219        if (region.length < (unsigned)(hit_len + key_len)) {
220                RETERR(DNS_R_FORMERR);
221        }
222
    20. lower_bounds: Casting narrower unsigned key_len to wider signed type int effectively tests its lower bound.
    21. Condition _r != 0, taking false branch.
223        RETERR(mem_tobuffer(target, rr.base, 4 + hit_len + key_len));
    22. lower_bounds: Casting narrower unsigned key_len to wider signed type int effectively tests its lower bound.
    23. var_assign_var: Compound assignment involving tainted variable 4 + hit_len + key_len to variable source->current taints source->current.
224        isc_buffer_forward(source, 4 + hit_len + key_len);
225
226        dns_decompress_setmethods(dctx, DNS_COMPRESS_NONE);

CID 281461 (#1 of 1): Untrusted loop bound (TAINTED_SCALAR)
    24. tainted_data: Using tainted variable source->active - source->current as a loop boundary.
Ensure that tainted values are properly sanitized, by checking that their values are within a permissible range.
227        while (isc_buffer_activelength(source) > 0) {
228                dns_name_init(&name, NULL);
229                RETERR(dns_name_fromwire(&name, source, dctx, options, target));
230        }

(cherry picked from commit 2f946c83)

Closes #2469 (closed)

Attempt to silence untrusted loop bound

Merge request reports