Merge branch '2421-cid-316509-untrusted-value-as-argument-tainted_scalar' into 'main'

Resolve "CID 316509: Untrusted value as argument (TAINTED_SCALAR)" Closes #2423 and #2421 See merge request isc-projects/bind9!4606
2026-06-11 13:50:00 -04:00 · 2021-02-11 23:39:18 +00:00 · 2021-02-11 23:39:18 +00:00 · 5750f89351
commit 5750f89351
parent 698d6372aa c40133d840
2 changed files with 3 additions and 0 deletions
--- a/lib/dns/rdata/generic/nsec3_50.c
+++ b/lib/dns/rdata/generic/nsec3_50.c
@ -302,6 +302,7 @@ tostruct_nsec3(ARGS_TOSTRUCT) {
 	nsec3->iterations = uint16_consume_fromregion(&region);

 	nsec3->salt_length = uint8_consume_fromregion(&region);
+	INSIST(nsec3->salt_length <= region.length);
 	nsec3->salt = mem_maybedup(mctx, region.base, nsec3->salt_length);
 	if (nsec3->salt == NULL) {
 		return (ISC_R_NOMEMORY);
@ -309,6 +310,7 @@ tostruct_nsec3(ARGS_TOSTRUCT) {
 	isc_region_consume(&region, nsec3->salt_length);

 	nsec3->next_length = uint8_consume_fromregion(&region);
+	INSIST(nsec3->next_length <= region.length);
 	nsec3->next = mem_maybedup(mctx, region.base, nsec3->next_length);
 	if (nsec3->next == NULL) {
 		goto cleanup;
--- a/lib/dns/rdata/generic/nsec3param_51.c
+++ b/lib/dns/rdata/generic/nsec3param_51.c
@ -238,6 +238,7 @@ tostruct_nsec3param(ARGS_TOSTRUCT) {
 	nsec3param->iterations = uint16_consume_fromregion(&region);

 	nsec3param->salt_length = uint8_consume_fromregion(&region);
+	INSIST(nsec3param->salt_length == region.length);
 	nsec3param->salt = mem_maybedup(mctx, region.base,
 					nsec3param->salt_length);
 	if (nsec3param->salt == NULL) {