[2124] Check that algorithm and fingerprint are in the range [1,255]

d0d70f21 · Mukund Sivaraman · 045ede28 · d0d70f21 · d0d70f21
Commit d0d70f21 authored Jul 23, 2012 by Mukund Sivaraman
--- a/src/lib/dns/rdata/generic/sshfp_44.cc
+++ b/src/lib/dns/rdata/generic/sshfp_44.cc
@@ -43,6 +43,14 @@ SSHFP::SSHFP(InputBuffer& buffer, size_t rdata_len) {
    algorithm_ = buffer.readUint8();
    fingerprint_type_ = buffer.readUint8();

+    if (algorithm_ < 1) {
+        isc_throw(InvalidRdataText, "SSHFP algorithm number out of range");
+    }
+
+    if (fingerprint_type_ < 1) {
+        isc_throw(InvalidRdataText, "SSHFP fingerprint type out of range");
+    }
+
    rdata_len -= 2;
    fingerprint_.resize(rdata_len);
    buffer.readData(&fingerprint_[0], rdata_len);
@@ -60,6 +68,14 @@ SSHFP::SSHFP(const std::string& sshfp_str) {
        isc_throw(InvalidRdataText, "Invalid SSHFP text");
    }

+    if ((algorithm < 1) || (algorithm > 255)) {
+        isc_throw(InvalidRdataText, "SSHFP algorithm number out of range");
+    }
+
+    if ((fingerprint_type < 1) || (fingerprint_type > 255)) {
+        isc_throw(InvalidRdataText, "SSHFP fingerprint type out of range");
+    }
+
    iss.read(&peekc, 1);
    if (!iss.good() || !isspace(peekc, iss.getloc())) {
        isc_throw(InvalidRdataText, "SSHFP presentation format error");
@@ -75,6 +91,14 @@ SSHFP::SSHFP(const std::string& sshfp_str) {
 SSHFP::SSHFP(uint8_t algorithm, uint8_t fingerprint_type,
             const std::string& fingerprint)
 {
+    if (algorithm < 1) {
+        isc_throw(InvalidRdataText, "SSHFP algorithm number out of range");
+    }
+
+    if (fingerprint_type < 1) {
+        isc_throw(InvalidRdataText, "SSHFP fingerprint type out of range");
+    }
+
    algorithm_ = algorithm;
    fingerprint_type_ = fingerprint_type;
    decodeHex(fingerprint, fingerprint_);

--- a/src/lib/dns/tests/rdata_sshfp_unittest.cc
+++ b/src/lib/dns/tests/rdata_sshfp_unittest.cc
@@ -60,7 +60,6 @@ TEST_F(Rdata_SSHFP_Test, algorithmTypes) {
    // Some of these may not be RFC conformant, but we relax the check
    // in our code to work with algorithm and fingerprint types that may
    // show up in the future.
-    EXPECT_NO_THROW(const generic::SSHFP rdata_sshfp("0 1 123456789abcdef67890123456789abcdef67890"));
    EXPECT_NO_THROW(const generic::SSHFP rdata_sshfp("1 1 123456789abcdef67890123456789abcdef67890"));
    EXPECT_NO_THROW(const generic::SSHFP rdata_sshfp("2 1 123456789abcdef67890123456789abcdef67890"));
    EXPECT_NO_THROW(const generic::SSHFP rdata_sshfp("3 1 123456789abcdef67890123456789abcdef67890"));
@@ -71,6 +70,12 @@ TEST_F(Rdata_SSHFP_Test, algorithmTypes) {
    EXPECT_NO_THROW(const generic::SSHFP rdata_sshfp("1 3 123456789abcdef67890123456789abcdef67890"));
    EXPECT_NO_THROW(const generic::SSHFP rdata_sshfp("1 128 123456789abcdef67890123456789abcdef67890"));
    EXPECT_NO_THROW(const generic::SSHFP rdata_sshfp("1 255 123456789abcdef67890123456789abcdef67890"));
+
+    // 0 is still reserved.
+    EXPECT_THROW(const generic::SSHFP rdata_sshfp("0 1 123456789abcdef67890123456789abcdef67890"),
+                 InvalidRdataText);
+    EXPECT_THROW(const generic::SSHFP rdata_sshfp("1 0 123456789abcdef67890123456789abcdef67890"),
+                 InvalidRdataText);
 }

 TEST_F(Rdata_SSHFP_Test, badText) {