From c866769e664ba0a6a5e6f9375245f5ccca393009 Mon Sep 17 00:00:00 2001
From: David Lawrence <source@isc.org>
Date: Sun, 17 Oct 1999 22:31:03 +0000
Subject: [PATCH] more INSISTs for proper range before passing integers to
 isc_buffer_putuint16

---
 lib/dns/message.c | 19 +++++++++++++++----
 lib/dns/ncache.c  |  8 ++++++--
 2 files changed, 21 insertions(+), 6 deletions(-)

diff --git a/lib/dns/message.c b/lib/dns/message.c
index ed283a4e8b..4ed0cffafd 100644
--- a/lib/dns/message.c
+++ b/lib/dns/message.c
@@ -1384,7 +1384,9 @@ dns_message_rendersection(dns_message_t *msg, dns_section_t sectionid,
 			 * to indicate where to continue from.
 			 */
 			if (result != DNS_R_SUCCESS) {
-				dns_compress_rollback(&msg->cctx, st.used);
+				INSIST(st.used < 65536);
+				dns_compress_rollback(&msg->cctx,
+						      (isc_uint16_t)st.used);
 				*(msg->buffer) = st;  /* rollback */
 				msg->buffer->length += msg->reserved;
 				msg->counts[sectionid] += total;
@@ -1424,10 +1426,19 @@ dns_message_renderheader(dns_message_t *msg, isc_buffer_t *target)
 	tmp |= (msg->rcode & DNS_MESSAGE_RCODE_MASK);
 	tmp |= (msg->flags & DNS_MESSAGE_FLAG_MASK);
 
+	INSIST(msg->counts[DNS_SECTION_QUESTION]  < 65536 &&
+	       msg->counts[DNS_SECTION_ANSWER]    < 65536 &&
+	       msg->counts[DNS_SECTION_AUTHORITY] < 65536 &&
+	       (msg->counts[DNS_SECTION_ADDITIONAL] +
+		msg->counts[DNS_SECTION_TSIG]) < 65536);
+
 	isc_buffer_putuint16(target, tmp);
-	isc_buffer_putuint16(target, msg->counts[DNS_SECTION_QUESTION]);
-	isc_buffer_putuint16(target, msg->counts[DNS_SECTION_ANSWER]);
-	isc_buffer_putuint16(target, msg->counts[DNS_SECTION_AUTHORITY]);
+	isc_buffer_putuint16(target,
+			     (isc_uint16_t)msg->counts[DNS_SECTION_QUESTION]);
+	isc_buffer_putuint16(target,
+			     (isc_uint16_t)msg->counts[DNS_SECTION_ANSWER]);
+	isc_buffer_putuint16(target,
+			     (isc_uint16_t)msg->counts[DNS_SECTION_AUTHORITY]);
 	tmp  = msg->counts[DNS_SECTION_ADDITIONAL]
 		+ msg->counts[DNS_SECTION_TSIG];
 	isc_buffer_putuint16(target, tmp);
diff --git a/lib/dns/ncache.c b/lib/dns/ncache.c
index 469f74068f..798a745328 100644
--- a/lib/dns/ncache.c
+++ b/lib/dns/ncache.c
@@ -312,8 +312,11 @@ dns_ncache_towire(dns_rdataset_t *rdataset, dns_compress_t *cctx,
 			 * Set the rdata length field to the compressed
 			 * length.
 			 */
+			INSIST((target->used >= rdlen.used + 2) &&
+			       (target->used - rdlen.used - 2 < 65536));
 			isc_buffer_putuint16(&rdlen,
-					     target->used - rdlen.used - 2);
+					     (isc_uint16_t)(target->used -
+							    rdlen.used - 2));
 
 			count++;
 		}
@@ -325,7 +328,8 @@ dns_ncache_towire(dns_rdataset_t *rdataset, dns_compress_t *cctx,
 	return (ISC_R_SUCCESS);
 
  rollback:
-	dns_compress_rollback(cctx, savedbuffer.used);
+	INSIST(savedbuffer.used < 65536);
+	dns_compress_rollback(cctx, (isc_uint16_t)savedbuffer.used);
 	*countp = 0;
 	*target = savedbuffer;