upstream/unbound
1
0
Fork 0
mirror of https://github.com/NLnetLabs/unbound.git synced 2025-12-23 16:20:26 -05:00
Code Issues Projects Releases Packages Wiki Activity Actions

- Fix Integer Overflow in Regional Allocator,

Browse source 
reported by X41 D-Sec.
This commit is contained in:
W.C.A. Wijngaards 2019-11-19 15:38:05 +01:00
parent 5d46bb3879
commit 226298bbd3
5 changed files with 50 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

3
config.h.in
View file

@ -715,6 +715,9 @@
/* Shared data */ /* Shared data */
#undef SHARE_DIR #undef SHARE_DIR
/* The size of `size_t', as computed by sizeof. */
#undef SIZEOF_SIZE_T
/* The size of `time_t', as computed by sizeof. */ /* The size of `time_t', as computed by sizeof. */
#undef SIZEOF_TIME_T #undef SIZEOF_TIME_T

33
configure vendored
View file

@ -15069,6 +15069,39 @@ cat >>confdefs.h <<_ACEOF
_ACEOF _ACEOF
# The cast to long int works around a bug in the HP C Compiler
# version HP92453-01 B.11.11.23709.GP, which incorrectly rejects
# declarations like `int a3[[(sizeof (unsigned char)) >= 0]];'.
# This bug is HP SR number 8606223364.
{ $as_echo "$as_me:${as_lineno-$LINENO}: checking size of size_t" >&5
$as_echo_n "checking size of size_t... " >&6; }
if ${ac_cv_sizeof_size_t+:} false; then :
$as_echo_n "(cached) " >&6
else
if ac_fn_c_compute_int "$LINENO" "(long int) (sizeof (size_t))" "ac_cv_sizeof_size_t" "$ac_includes_default"; then :
else
if test "$ac_cv_type_size_t" = yes; then
{ { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5
$as_echo "$as_me: error: in \`$ac_pwd':" >&2;}
as_fn_error 77 "cannot compute sizeof (size_t)
See \`config.log' for more details" "$LINENO" 5; }
else
ac_cv_sizeof_size_t=0
fi
fi
fi
{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_sizeof_size_t" >&5
$as_echo "$ac_cv_sizeof_size_t" >&6; }
cat >>confdefs.h <<_ACEOF
#define SIZEOF_SIZE_T $ac_cv_sizeof_size_t
_ACEOF
# add option to disable the evil rpath # add option to disable the evil rpath

1
configure.ac
View file

@ -432,6 +432,7 @@ AC_INCLUDES_DEFAULT
# endif # endif
#endif #endif
]) ])
AC_CHECK_SIZEOF(size_t)
# add option to disable the evil rpath # add option to disable the evil rpath
ACX_ARG_RPATH ACX_ARG_RPATH

2
doc/Changelog
View file

@ -3,6 +3,8 @@
- 1.9.5 is 1.9.4 with bugfix, trunk is 1.9.6 in development. - 1.9.5 is 1.9.4 with bugfix, trunk is 1.9.6 in development.
- Fix authzone printout buffer length check. - Fix authzone printout buffer length check.
- Fixes to please lint checks. - Fixes to please lint checks.
- Fix Integer Overflow in Regional Allocator,
reported by X41 D-Sec.
18 November 2019: Wouter 18 November 2019: Wouter
- In unbound-host use separate variable for get_option to please - In unbound-host use separate variable for get_option to please

12
util/regional.c
View file

@ -120,8 +120,18 @@ regional_destroy(struct regional *r)
void * void *
regional_alloc(struct regional *r, size_t size) regional_alloc(struct regional *r, size_t size)
{ {
size_t a = ALIGN_UP(size, ALIGNMENT); size_t a;
void *s; void *s;
if(
#if SIZEOF_SIZE_T == 8
(unsigned long long)size >= 0xffffffffffffff00ULL
#else
(unsigned)size >= (unsigned)0xffffff00UL
#endif
)
return NULL; /* protect against integer overflow in
malloc and ALIGN_UP */
a = ALIGN_UP(size, ALIGNMENT);
/* large objects */ /* large objects */
if(a > REGIONAL_LARGE_OBJECT_SIZE) { if(a > REGIONAL_LARGE_OBJECT_SIZE) {
s = malloc(ALIGNMENT + size); s = malloc(ALIGNMENT + size);