[9.20] fix: usr: Importing invalid SKR file might corrupt stack memory

If an BIND 9 administrator imports an invalid SKR file, local stack
in the import function might overflow.  This could lead to
a memory corruption on the stack and ultimately server crash.
This has been fixed.

ISC would like to thank mcsky23 for bringing this bug to our attention.

Closes #5758

Backport of MR !11578

Merge branch 'backport-5758-fix-stack-overflow-via-rndc-skr-import-9.20' into 'bind-9.20'

See merge request isc-projects/bind9!11598

bin/dnssec/dnssec-ksr.c

@@ -1211,7 +1211,6 @@ sign(ksr_ctx_t *ksr) {
 		}
 
 		if (strcmp(STR(token), ";;") == 0) {
-			char bundle[KSR_LINESIZE];
 			isc_stdtime_t next_inception;
 
 			CHECK(isc_lex_gettoken(lex, opt, &token));
@@ -1245,9 +1244,8 @@ sign(ksr_ctx_t *ksr) {
 			}
 
 			/* Date and time of bundle */
-			sscanf(STR(token), "%s", bundle);
-			next_inception = strtotime(bundle, ksr->now, ksr->now,
-						   NULL);
+			next_inception = strtotime(STR(token), ksr->now,
+						   ksr->now, NULL);
 
 			if (have_bundle) {
 				/* Sign previous bundle */

bin/tests/system/ksr/ns1/named.conf.j2

@@ -93,3 +93,17 @@ dnssec-policy "ksk-roll" {
 		zsk lifetime unlimited algorithm @DEFAULT_ALGORITHM@;
 	};
 };
+
+dnssec-policy "invalid-skr" {
+	offline-ksk yes;
+	keys {
+		ksk lifetime unlimited algorithm @DEFAULT_ALGORITHM@;
+		zsk lifetime unlimited algorithm @DEFAULT_ALGORITHM@;
+	};
+};
+
+zone "invalid-skr.test" {
+	type primary;
+	file "invalid-skr.test.db";
+	dnssec-policy "invalid-skr";
+};

bin/tests/system/ksr/ns1/setup.sh

@@ -27,3 +27,4 @@ cp template.db.in in-the-middle.test.db
 cp template.db.in unlimited.test.db
 cp template.db.in two-tone.test.db
 cp template.db.in ksk-roll.test.db
+cp template.db.in invalid-skr.test.db

bin/tests/system/ksr/tests_ksr.py

@@ -31,6 +31,7 @@ pytestmark = pytest.mark.extra_artifacts(
         "past.test.*",
         "two-tone.test.*",
         "unlimited.test.*",
+        "invalid-skr.test.*",
         "ns1/K*",
         "ns1/_default.nzd",
         "ns1/_default.nzf",
@@ -74,6 +75,11 @@ pytestmark = pytest.mark.extra_artifacts(
         "ns1/unlimited.test.db.signed",
         "ns1/unlimited.test.db.signed.jnl",
         "ns1/unlimited.test.unlimited.skr.1",
+        "ns1/invalid-skr.test.db",
+        "ns1/invalid-skr.test.db.jbk",
+        "ns1/invalid-skr.test.db.signed",
+        "ns1/invalid-skr.test.db.signed.jnl",
+        "ns1/invalid-skr.test.skr.1",
     ]
 )
 
@@ -1289,3 +1295,21 @@ def test_ksr_kskroll(ns1):
     isctest.kasp.check_apex(ns1, zone, ksks, zsks, offline_ksk=True)
     # - check subdomain
     isctest.kasp.check_subdomain(ns1, zone, ksks, zsks, offline_ksk=True)
+
+
+def test_ksr_oversize(ns1):
+    zone = "invalid-skr.test"
+    n = 1
+
+    skr_fname = f"{zone}.skr.{n}"
+    token_len = 5000
+    with open(skr_fname, "w", encoding="utf-8") as skr:
+        huge_token = "A" * token_len
+        skr.write(f";; SignedKeyResponse 1.0 {huge_token}\n")
+
+    # - try importing invalid SKR file
+    shutil.copyfile(skr_fname, f"ns1/{skr_fname}")
+    ns1.rndc(f"skr -import {skr_fname} {zone}")
+
+    # - check if named is still running
+    ns1.rndc("status")

lib/dns/skr.c

@@ -231,7 +231,6 @@ dns_skr_read(isc_mem_t *mctx, const char *filename, dns_name_t *origin,
 	     dns_rdataclass_t rdclass, dns_ttl_t dnskeyttl, dns_skr_t **skrp) {
 	isc_result_t result;
 	dns_skrbundle_t *bundle = NULL;
-	char bundlebuf[1024];
 	uint32_t bundle_id;
 	isc_lex_t *lex = NULL;
 	isc_lexspecials_t specials;
@@ -304,8 +303,7 @@ dns_skr_read(isc_mem_t *mctx, const char *filename, dns_name_t *origin,
 			}
 
 			/* Create new bundle */
-			sscanf(STR(token), "%s", bundlebuf);
-			CHECK(dns_time32_fromtext(bundlebuf, &bundle_id));
+			CHECK(dns_time32_fromtext(STR(token), &bundle_id));
 			bundle = NULL;
 			skrbundle_create(mctx, (isc_stdtime_t)bundle_id,
 					 &bundle);