BIND 10 #838: "string iterator is not dereferencable" issue

BIND 10 Development do-not-reply at isc.org
Fri Apr 8 17:43:20 UTC 2011 

#838: "string iterator is not dereferencable" issue
------------------------------------------+---------------------------
                 Reporter:  fdupont       |                Owner:
                     Type:  defect        |               Status:  new
                 Priority:  major         |            Milestone:
                Component:  Unclassified  |           Resolution:
                 Keywords:                |            Sensitive:  0
Estimated Number of Hours:  0             |  Add Hours to Ticket:  0
                Billable?:  1             |          Total Hours:  0
                Internal?:  0             |
------------------------------------------+---------------------------

Comment (by fdupont):

 Found at least one bug: src/lib/dns/util/base_n.cc is wrong:
 in !DecodeNormalizer:

     const char& operator*() const {
         if (in_pad_ && *base_ == BASE_PADDING_CHAR) {
             return (base_zero_code_);
         } else {
             return (*base_);
         }
     }

 if base_ is already at the end, it is illegal to deference it.
 Now BaseNTransformer<>::decode calls:

        result.assign(Decoder(!DecodeNormalizer(!BaseZeroCode,
 input.begin(),
                                                srit.base(), input.end())),
                       Decoder(!DecodeNormalizer(!BaseZeroCode,
 input.end(),
                                                input.end(),
 input.end())));

 This is an internal error as (from !DecodeNormalizer comment):
 !// Note: this class is intended to be used within this implementation
 file,
 !// and for simplicity assumes "base < base_beginpad <= base_end" on
 !// construction without validating the arguments.  The behavior is
 undefined
 !// if this assumption doesn't hold.

 I agree: it is undefined and only seems to work...
 Of course there is a similar issue on the encoding side.

 About the crash itself, I added something to trace to_4_bit() in
 util/binary_from_base16.h when decodeHex() is called with "dea":
 the stopping condition doesn't work as the function is called
 for 'd', 'e', 'a', and:
  - on Windows it crashes (at the place I cited at the beginning of the
 comment)
  - on Linux it is called with '\0', fortunately it raises BadValue
 IMHO the transform_width logic is not what was expected.

 A good news: it seems it is the only source of errors (others are
 in 836).

-- 
Ticket URL: <http://bind10.isc.org/ticket/838#comment:4>
BIND 10 Development <http://bind10.isc.org>
BIND 10 Development

More information about the bind10-tickets mailing list