From a347641782dfb47aa45e6e8ffc9e0c6db4c07deb Mon Sep 17 00:00:00 2001 From: Mark Andrews Date: Tue, 25 Aug 2020 22:59:35 +1000 Subject: [PATCH] Cast the original rcode to (dns_ttl_t) when setting extended rcode Shifting (signed) integer left could trigger undefined behaviour when the shifted value would overflow into the sign bit (e.g. 2048). The issue was found when using AFL++ and UBSAN: message.c:2274:33: runtime error: left shift of 2048 by 20 places cannot be represented in type 'int' SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior message.c:2274:33 in --- lib/dns/message.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/lib/dns/message.c b/lib/dns/message.c index 97425c753b..c819957ae2 100644 --- a/lib/dns/message.c +++ b/lib/dns/message.c @@ -2268,10 +2268,11 @@ dns_message_renderend(dns_message_t *msg) { dns_message_renderrelease(msg, msg->opt_reserved); msg->opt_reserved = 0; /* - * Set the extended rcode. + * Set the extended rcode. Cast msg->rcode to dns_ttl_t + * so that we do a unsigned shift. */ msg->opt->ttl &= ~DNS_MESSAGE_EDNSRCODE_MASK; - msg->opt->ttl |= ((msg->rcode << 20) & + msg->opt->ttl |= (((dns_ttl_t)(msg->rcode) << 20) & DNS_MESSAGE_EDNSRCODE_MASK); /* * Render.