70 lines
2.5 KiB
Diff
70 lines
2.5 KiB
Diff
From f458f6496de4dce06b1f9682537855800eda9675 Mon Sep 17 00:00:00 2001
|
|
From: Aram Sargsyan <aram@isc.org>
|
|
Date: Mon, 17 Oct 2022 08:45:09 +0000
|
|
Subject: [PATCH] Fix a logical bug in cfg_print_duration()
|
|
|
|
The cfg_print_duration() function prints a ISO 8601 duration value
|
|
converted from an array of integers, where the parts of the date and
|
|
time are stored.
|
|
|
|
durationlen[6], which holds the "seconds" part of the duration, has
|
|
a special case in cfg_print_duration() to ensure that when there are
|
|
no values in the duration, the result still can be printed as "PT0S",
|
|
instead of just "P", so it can be a valid ISO 8601 duration value.
|
|
|
|
There is a logical error in one of the two special case code paths,
|
|
when it checks that no value from the "date" part is defined, and no
|
|
"hour" or "minute" from the "time" part are defined.
|
|
|
|
Because of the error, durationlen[6] can be used uninitialized, in
|
|
which case the second parameter passed to snprintf() (which is the
|
|
maximum allowed length) can contain a garbage value.
|
|
|
|
This can not be exploited because the buffer is still big enough to
|
|
hold the maximum possible amount of characters generated by the "%u%c"
|
|
format string.
|
|
|
|
Fix the logical bug, and initialize the 'durationlen' array to zeros
|
|
to be a little safer from other similar errors.
|
|
|
|
(cherry picked from commit 94409101870b689f77452b6324968687d9f3c72f)
|
|
---
|
|
lib/isccfg/parser.c | 8 +++-----
|
|
1 file changed, 3 insertions(+), 5 deletions(-)
|
|
|
|
diff --git a/lib/isccfg/parser.c b/lib/isccfg/parser.c
|
|
index b2a4a0ee979..42056c974e8 100644
|
|
--- a/lib/isccfg/parser.c
|
|
+++ b/lib/isccfg/parser.c
|
|
@@ -1041,7 +1041,7 @@ cfg_print_duration(cfg_printer_t *pctx, const cfg_obj_t *obj) {
|
|
char *str;
|
|
const char *indicators = "YMWDHMS";
|
|
int count, i;
|
|
- int durationlen[7];
|
|
+ int durationlen[7] = { 0 };
|
|
cfg_duration_t duration;
|
|
/*
|
|
* D ? The duration has a date part.
|
|
@@ -1073,10 +1073,8 @@ cfg_print_duration(cfg_printer_t *pctx, const cfg_obj_t *obj) {
|
|
} else {
|
|
T = true;
|
|
}
|
|
- } else {
|
|
- durationlen[i] = 0;
|
|
+ count += durationlen[i];
|
|
}
|
|
- count += durationlen[i];
|
|
}
|
|
/*
|
|
* Special case for seconds which is not taken into account in the
|
|
@@ -1114,7 +1112,7 @@ cfg_print_duration(cfg_printer_t *pctx, const cfg_obj_t *obj) {
|
|
}
|
|
/* Special case for seconds. */
|
|
if (duration.parts[6] > 0 ||
|
|
- (!D && !duration.parts[4] && !duration.parts[3])) {
|
|
+ (!D && !duration.parts[4] && !duration.parts[5])) {
|
|
snprintf(str, durationlen[6] + 2, "%u%c",
|
|
(uint32_t)duration.parts[6], indicators[6]);
|
|
}
|
|
--
|
|
2.23.0
|