From 25845a866e83dd35ef0e0a7891babc5ed59081c5 Mon Sep 17 00:00:00 2001
From: Mark Andrews <marka@isc.org>
Date: Wed, 26 Jun 2024 14:39:04 +1000
Subject: [PATCH] Check for overflow when adding lifetime

---
 lib/dns/keymgr.c | 19 ++++++++++++++-----
 1 file changed, 14 insertions(+), 5 deletions(-)

diff --git a/lib/dns/keymgr.c b/lib/dns/keymgr.c
index 8367b38003..cee11a2db0 100644
--- a/lib/dns/keymgr.c
+++ b/lib/dns/keymgr.c
@@ -298,7 +298,9 @@ keymgr_prepublication_time(dns_dnsseckey_t *key, dns_kasp_t *kasp,
 			return (0);
 		}
 
-		retire = active + klifetime;
+		if (ISC_OVERFLOW_ADD(active, klifetime, &retire)) {
+			retire = UINT32_MAX;
+		}
 		dst_key_settime(key->key, DST_TIME_INACTIVE, retire);
 	}
 
@@ -398,9 +400,12 @@ keymgr_key_update_lifetime(dns_dnsseckey_t *key, dns_kasp_t *kasp,
 		dst_key_setnum(key->key, DST_NUM_LIFETIME, lifetime);
 		if (lifetime > 0) {
 			uint32_t a = now;
+			uint32_t inactive;
 			(void)dst_key_gettime(key->key, DST_TIME_ACTIVATE, &a);
-			dst_key_settime(key->key, DST_TIME_INACTIVE,
-					(a + lifetime));
+			if (ISC_OVERFLOW_ADD(a, lifetime, &inactive)) {
+				inactive = UINT32_MAX;
+			}
+			dst_key_settime(key->key, DST_TIME_INACTIVE, inactive);
 			keymgr_settime_remove(key, kasp);
 		} else {
 			dst_key_unsettime(key->key, DST_TIME_INACTIVE);
@@ -1875,8 +1880,12 @@ keymgr_key_rollover(dns_kasp_key_t *kaspkey, dns_dnsseckey_t *active_key,
 
 	/* Do we need to set retire time? */
 	if (lifetime > 0) {
-		dst_key_settime(new_key->key, DST_TIME_INACTIVE,
-				(active + lifetime));
+		uint32_t inactive;
+
+		if (ISC_OVERFLOW_ADD(active, lifetime, &inactive)) {
+			inactive = UINT32_MAX;
+		}
+		dst_key_settime(new_key->key, DST_TIME_INACTIVE, inactive);
 		keymgr_settime_remove(new_key, kasp);
 	}