[Opendnssec-develop] [OpenDNSSEC] #127: Large SOA serial numbers are not handled properly by "signer"
OpenDNSSEC
owner-dnssec-trac at kirei.se
Thu Apr 29 16:18:04 UTC 2010
#127: Large SOA serial numbers are not handled properly by "signer"
---------------------------------------------------+------------------------
Reporter: Anirban Mukherjee <amukherj@…> | Owner: matthijs
Type: defect | Status: new
Priority: major | Component: Signer
Version: 1.0.0 | Keywords:
---------------------------------------------------+------------------------
If the SOA serial number of the input unsigned zone is larger than
{{{2^31-1}}} (0x7fffffff or 2147483647), the generated signed zone always
has a serial number of {{{2^31-1}}} if "keep" or "counter" is used.
The problem seems to arise due to the use of the atol function in
signer/tools/signer.c (handle_command function). Since atol converts to a
signed long, its valid range limit is {{{(-)2^31 to 2^31-1}}}. A param
value greater than {{{2^31 - 1}}} causes it to return LONG_MAX or
{{{2^31-1}}}.
A possible fix is to use strtoul instead of atol.
Although this problem is seen for SOA, in theory it could occur for all
the uint32_t parameters. The attached signer.c uses strtoul instead of
atol for all uint32_t variables although this may not be strictly
necessary e.g. TTL should never exceed {{{2^31-1}}}.
A sample unsigned input zone with a large serial number and the
corresponding signed zone with incorrect serial is also attached.
--
Ticket URL: <http://trac.opendnssec.org/ticket/127>
OpenDNSSEC <http://www.opendnssec.org/>
OpenDNSSEC
More information about the Opendnssec-develop
mailing list