From 25006e2f176c00edab4ac596b5eaa20c9f212cb8 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ond=C5=99ej=20Sur=C3=BD?= Date: Sun, 22 Feb 2026 06:37:33 +0100 Subject: [PATCH] Importing invalid SKR file might overflow the stack buffer If an invalid SKR file is imported, reading the time from the token buffer might overflow the buffer on the local stack. This has been fixed by removing the intermediate buffer and parsing the lexer token directly. (cherry picked from commit 8ab4827a0c35128a88212237395f388c17e9ff26) --- bin/dnssec/dnssec-ksr.c | 6 ++---- lib/dns/skr.c | 4 +--- 2 files changed, 3 insertions(+), 7 deletions(-) diff --git a/bin/dnssec/dnssec-ksr.c b/bin/dnssec/dnssec-ksr.c index d5a7e7f3eb..01df9843cc 100644 --- a/bin/dnssec/dnssec-ksr.c +++ b/bin/dnssec/dnssec-ksr.c @@ -1211,7 +1211,6 @@ sign(ksr_ctx_t *ksr) { } if (strcmp(STR(token), ";;") == 0) { - char bundle[KSR_LINESIZE]; isc_stdtime_t next_inception; CHECK(isc_lex_gettoken(lex, opt, &token)); @@ -1245,9 +1244,8 @@ sign(ksr_ctx_t *ksr) { } /* Date and time of bundle */ - sscanf(STR(token), "%s", bundle); - next_inception = strtotime(bundle, ksr->now, ksr->now, - NULL); + next_inception = strtotime(STR(token), ksr->now, + ksr->now, NULL); if (have_bundle) { /* Sign previous bundle */ diff --git a/lib/dns/skr.c b/lib/dns/skr.c index cfe27cc54c..6b63612dbf 100644 --- a/lib/dns/skr.c +++ b/lib/dns/skr.c @@ -231,7 +231,6 @@ dns_skr_read(isc_mem_t *mctx, const char *filename, dns_name_t *origin, dns_rdataclass_t rdclass, dns_ttl_t dnskeyttl, dns_skr_t **skrp) { isc_result_t result; dns_skrbundle_t *bundle = NULL; - char bundlebuf[1024]; uint32_t bundle_id; isc_lex_t *lex = NULL; isc_lexspecials_t specials; @@ -304,8 +303,7 @@ dns_skr_read(isc_mem_t *mctx, const char *filename, dns_name_t *origin, } /* Create new bundle */ - sscanf(STR(token), "%s", bundlebuf); - CHECK(dns_time32_fromtext(bundlebuf, &bundle_id)); + CHECK(dns_time32_fromtext(STR(token), &bundle_id)); bundle = NULL; skrbundle_create(mctx, (isc_stdtime_t)bundle_id, &bundle);