- Fix Integer Overflow in Regional Allocator,

reported by X41 D-Sec.
2025-12-20 23:00:56 -05:00 · 2019-11-19 15:38:05 +01:00 · 2019-11-19 15:38:05 +01:00 · 226298bbd3
commit 226298bbd3
parent 5d46bb3879
5 changed files with 50 additions and 1 deletions
--- a/config.h.in
+++ b/config.h.in
@ -715,6 +715,9 @@
 /* Shared data */
 #undef SHARE_DIR

+/* The size of `size_t', as computed by sizeof. */
+#undef SIZEOF_SIZE_T
+
 /* The size of `time_t', as computed by sizeof. */
 #undef SIZEOF_TIME_T

--- a/33
+++ b/33
@ -15069,6 +15069,39 @@ cat >>confdefs.h <<_ACEOF
 _ACEOF


+# The cast to long int works around a bug in the HP C Compiler
+# version HP92453-01 B.11.11.23709.GP, which incorrectly rejects
+# declarations like `int a3[[(sizeof (unsigned char)) >= 0]];'.
+# This bug is HP SR number 8606223364.
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking size of size_t" >&5
+$as_echo_n "checking size of size_t... " >&6; }
+if ${ac_cv_sizeof_size_t+:} false; then :
+  $as_echo_n "(cached) " >&6
+else
+  if ac_fn_c_compute_int "$LINENO" "(long int) (sizeof (size_t))" "ac_cv_sizeof_size_t"        "$ac_includes_default"; then :
+
+else
+  if test "$ac_cv_type_size_t" = yes; then
+     { { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5
+$as_echo "$as_me: error: in \`$ac_pwd':" >&2;}
+as_fn_error 77 "cannot compute sizeof (size_t)
+See \`config.log' for more details" "$LINENO" 5; }
+   else
+     ac_cv_sizeof_size_t=0
+   fi
+fi
+
+fi
+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_sizeof_size_t" >&5
+$as_echo "$ac_cv_sizeof_size_t" >&6; }
+
+
+
+cat >>confdefs.h <<_ACEOF
+#define SIZEOF_SIZE_T $ac_cv_sizeof_size_t
+_ACEOF
+
+

 # add option to disable the evil rpath

--- a/configure.ac
+++ b/configure.ac
@ -432,6 +432,7 @@ AC_INCLUDES_DEFAULT
 # endif
 #endif
 ])
+AC_CHECK_SIZEOF(size_t)

 # add option to disable the evil rpath
 ACX_ARG_RPATH
--- a/doc/Changelog
+++ b/doc/Changelog
@ -3,6 +3,8 @@
 	- 1.9.5 is 1.9.4 with bugfix, trunk is 1.9.6 in development.
 	- Fix authzone printout buffer length check.
 	- Fixes to please lint checks.
+	- Fix Integer Overflow in Regional Allocator,
+	  reported by X41 D-Sec.

 18 November 2019: Wouter
 	- In unbound-host use separate variable for get_option to please
--- a/util/regional.c
+++ b/util/regional.c
@ -120,8 +120,18 @@ regional_destroy(struct regional *r)
 void *
 regional_alloc(struct regional *r, size_t size)
 {
-	size_t a = ALIGN_UP(size, ALIGNMENT);
+	size_t a;
 	void *s;
+	if(
+#if SIZEOF_SIZE_T == 8
+		(unsigned long long)size >= 0xffffffffffffff00ULL
+#else
+		(unsigned)size >= (unsigned)0xffffff00UL
+#endif
+		)
+		return NULL; /* protect against integer overflow in
+			malloc and ALIGN_UP */
+	a = ALIGN_UP(size, ALIGNMENT);
 	/* large objects */
 	if(a > REGIONAL_LARGE_OBJECT_SIZE) {
 		s = malloc(ALIGNMENT + size);