From 0b6af23d619e6969c481f51f7360e5a7299be8f5 Mon Sep 17 00:00:00 2001 From: Mark Andrews Date: Mon, 28 Feb 2022 11:47:56 +1100 Subject: [PATCH 1/3] Grow the lex token buffer in one more place when parsing key pairs, if the '=' character fell at max_token a protective INSIST preventing buffer overrun could be triggered. Attempt to grow the buffer immediately before the INSIST. Also removed an unnecessary INSIST on the opening double quote of key buffer pair. (cherry picked from commit 4c356d277002d3e2f60fe43aaa85a4d524d933f8) --- lib/isc/lex.c | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/lib/isc/lex.c b/lib/isc/lex.c index 9546553800..aa9b549f79 100644 --- a/lib/isc/lex.c +++ b/lib/isc/lex.c @@ -670,6 +670,13 @@ isc_lex_gettoken(isc_lex_t *lex, unsigned int options, isc_token_t *tokenp) { case lexstate_string: if (!escaped && c == '=' && (options & ISC_LEXOPT_VPAIR) != 0) { + if (remaining == 0U) { + result = grow_data(lex, &remaining, + &curr, &prev); + if (result != ISC_R_SUCCESS) { + goto done; + } + } INSIST(remaining > 0U); *curr++ = c; *curr = '\0'; @@ -682,7 +689,6 @@ isc_lex_gettoken(isc_lex_t *lex, unsigned int options, isc_token_t *tokenp) { if (state == lexstate_vpairstart) { if (c == '"' && (options & ISC_LEXOPT_QVPAIR) != 0) { - INSIST(remaining > 0U); no_comments = true; state = lexstate_qvpair; break; From c1a127643fce401a02c51b0b2a91ce06cfe570d7 Mon Sep 17 00:00:00 2001 From: Mark Andrews Date: Mon, 28 Feb 2022 12:04:55 +1100 Subject: [PATCH 2/3] Add seed that demonstrated INSIST triggered in isc_lex_gettoken this is similar to the input found by ClusterFuzz Issue 45027 with the 0xff characters replaced for readability. (cherry picked from commit d36938321e346f676cfce2682b6a029da66b4f75) --- fuzz/dns_rdata_fromtext.in/svbc-max-token | 1 + 1 file changed, 1 insertion(+) create mode 100644 fuzz/dns_rdata_fromtext.in/svbc-max-token diff --git a/fuzz/dns_rdata_fromtext.in/svbc-max-token b/fuzz/dns_rdata_fromtext.in/svbc-max-token new file mode 100644 index 0000000000..6d1a265d9f --- /dev/null +++ b/fuzz/dns_rdata_fromtext.in/svbc-max-token @@ -0,0 +1 @@ +1 65 8 . aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa= From cb7511495e56297514e1ea72ed7f829fd71e59cd Mon Sep 17 00:00:00 2001 From: Mark Andrews Date: Mon, 28 Feb 2022 12:01:02 +1100 Subject: [PATCH 3/3] Add CHANGES note for [GL #3175] (cherry picked from commit ce8703a79e8afbb7cb8ca78fe04bd8855dc4fefa) --- CHANGES | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/CHANGES b/CHANGES index 9545d7e4a3..7818ade44e 100644 --- a/CHANGES +++ b/CHANGES @@ -1,3 +1,7 @@ +5815. [bug] If an oversized key name of a specific length was used + in the text form of an HTTP or SVBC record, an INSIST + could be triggered when parsing it. [GL #3175] + 5814. [bug] The RecursClients statistics counter could underflow in certain resolution scenarios. [GL #3147]