SECURITY: Make GETIL_B always have type `unsigned', not `int'

Otherwise unwanted sign extension can easily occur when converting
from the implicit int to unsigned long, eg in GET_L.

Without this, ttls and the 32-bit SOA fields can be sign-extended,
exposing invalid values to the application.

Found by AFL 2.35b.

Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>

diff --git a/src/internal.h b/src/internal.h
index 00cf8258b7b6849382d923e002200cafc2c2c719..43f6d4359848fda3eba8fd0ebbf482b10f25c4b2 100644 (file)
--- a/src/internal.h
+++ b/src/internal.h
@@ -934,7 +934,7 @@ static inline int errno_resources(int e) { return e==ENOMEM || e==ENOBUFS; }
   (( ((sz)+sizeof(union maxalign)-1) / sizeof(union maxalign) )        \
    * sizeof(union maxalign) )
 
-#define GETIL_B(cb) (((dgram)[(cb)++]) & 0x0ff)
+#define GETIL_B(cb) (((dgram)[(cb)++]) & 0x0ffu)
 #define GET_B(cb,tv) ((tv)= GETIL_B((cb)))
 #define GET_W(cb,tv) ((tv)=0,(tv)|=(GETIL_B((cb))<<8), (tv)|=GETIL_B(cb), (tv))
 #define GET_L(cb,tv) ( (tv)=0,                         \