- Fix #20: CVE-2019-13207 Stack-based Buffer Overflow in the

dname_concatenate() function. Reported by Frederic Cambus. It causes the zone parser to crash on a malformed zone file, with assertions enabled, an assertion catches it.
NLnetLabs · Jul 4, 2019 · 91102da · 91102da
1 parent 35bce05
commit 91102da
Show file tree

Hide file tree

Showing 3 changed files with 19 additions and 0 deletions.
diff --git a/doc/ChangeLog b/doc/ChangeLog
@@ -1,3 +1,9 @@
+4 July 2019: Wouter
+	- Fix #20: CVE-2019-13207 Stack-based Buffer Overflow in the
+	  dname_concatenate() function.  Reported by Frederic Cambus.
+	  It causes the zone parser to crash on a malformed zone file,
+	  with assertions enabled, an assertion catches it.
+
 2 July 2019: Wouter
 	- Tag for 4.2.1rc1
 

diff --git a/doc/RELNOTES b/doc/RELNOTES
@@ -1,5 +1,14 @@
 NSD RELEASE NOTES
 
+4.2.2 (in development)
+================
+BUG FIXES:
+	- Fix #20: CVE-2019-13207 Stack-based Buffer Overflow in the
+	  dname_concatenate() function.  Reported by Frederic Cambus.
+	  It causes the zone parser to crash on a malformed zone file,
+	  with assertions enabled, an assertion catches it.
+
+
 4.2.1
 ================
 FEATURES:

diff --git a/zparser.y b/zparser.y
@@ -1020,6 +1020,10 @@ rdata_ipsec_base: STR sp STR sp STR sp dotted_str
 				if(parser->origin == error_domain) {
 		    			zc_error("cannot concatenate origin to domain name, because origin failed to parse");
 					break;
+				} else if(name->name_size + domain_dname(parser->origin)->name_size - 1 > MAXDOMAINLEN) {
+					zc_error("ipsec gateway name exceeds %d character limit",
+						MAXDOMAINLEN);
+					break;
 				}
 				name = dname_concatenate(parser->rr_region, name, 
 					domain_dname(parser->origin));