Skip to content

Address theoretical buffer overrun in recent change

Matthijs Mekking requested to merge 2443-cid-316608-memory-corruptions-overrun-v9_16 into v9_16

The strlcat() call was wrong.

*** CID 316608:  Memory - corruptions  (OVERRUN)
/lib/dns/resolver.c: 5017 in fctx_create()
5011     	 * Make fctx->info point to a copy of a formatted string
5012     	 * "name/type".
5013     	 */
5014     	dns_name_format(name, buf, sizeof(buf));
5015     	dns_rdatatype_format(type, typebuf, sizeof(typebuf));
5016     	p = strlcat(buf, "/", sizeof(buf));
>>>     CID 316608:  Memory - corruptions  (OVERRUN)
>>>     Calling "strlcat" with "buf + p" and "1036UL" is suspicious because "buf" points into a buffer of 1036 bytes and the function call may access "(char *)(buf + p) + 1035UL". [Note: The source code implementation of the function has been overridden by a builtin model.]
5017     	strlcat(buf + p, typebuf, sizeof(buf));
5018     	fctx->info = isc_mem_strdup(mctx, buf);
5019
5020     	FCTXTRACE("create");
5021     	dns_name_init(&fctx->name, NULL);
5022     	dns_name_dup(name, mctx, &fctx->name);

(cherry picked from commit 59bf6e71)

Closes #2443 (closed)

Merge request reports