Blame SOURCES/unbound-1.7.3-security-hardening.patch

d9cda3
diff --git a/config.h.in b/config.h.in
d9cda3
index 04356f3..3b06bfa 100644
d9cda3
--- a/config.h.in
d9cda3
+++ b/config.h.in
d9cda3
@@ -666,6 +666,9 @@
d9cda3
 /* Shared data */
d9cda3
 #undef SHARE_DIR
d9cda3
 
d9cda3
+/* The size of `size_t', as computed by sizeof. */
d9cda3
+#undef SIZEOF_SIZE_T
d9cda3
+
d9cda3
 /* The size of `time_t', as computed by sizeof. */
d9cda3
 #undef SIZEOF_TIME_T
d9cda3
 
d9cda3
diff --git a/configure.ac b/configure.ac
d9cda3
index c5e0c7b..1bff4ed 100644
d9cda3
--- a/configure.ac
d9cda3
+++ b/configure.ac
d9cda3
@@ -371,6 +371,7 @@ AC_INCLUDES_DEFAULT
d9cda3
 # endif
d9cda3
 #endif
d9cda3
 ])
d9cda3
+AC_CHECK_SIZEOF(size_t)
d9cda3
 
d9cda3
 # add option to disable the evil rpath
d9cda3
 ACX_ARG_RPATH
d9cda3
diff --git a/contrib/create_unbound_ad_servers.sh b/contrib/create_unbound_ad_servers.sh
d9cda3
index d31f078..49fdbff 100644
d9cda3
--- a/contrib/create_unbound_ad_servers.sh
d9cda3
+++ b/contrib/create_unbound_ad_servers.sh
d9cda3
@@ -9,12 +9,13 @@
d9cda3
 # Variables
d9cda3
 dst_dir="/etc/opt/csw/unbound"
d9cda3
 work_dir="/tmp"
d9cda3
-list_addr="http://pgl.yoyo.org/adservers/serverlist.php?hostformat=nohtml&showintro=1&startdate%5Bday%5D=&startdate%5Bmonth%5D=&startdate%5Byear%5D="
d9cda3
+list_addr="https://pgl.yoyo.org/adservers/serverlist.php?hostformat=nohtml&showintro=1&startdate%5Bday%5D=&startdate%5Bmonth%5D=&startdate%5Byear%5D="
d9cda3
 
d9cda3
 # OS commands
d9cda3
 CAT=`which cat`
d9cda3
 ECHO=`which echo`
d9cda3
 WGET=`which wget`
d9cda3
+TR=`which tr`
d9cda3
 
d9cda3
 # Check Wget installed
d9cda3
 if [ ! -f $WGET ]; then
d9cda3
@@ -22,8 +23,10 @@ if [ ! -f $WGET ]; then
d9cda3
  exit 1
d9cda3
 fi
d9cda3
 
d9cda3
+# remove special characters with tr to protect unbound.conf
d9cda3
 $WGET -O $work_dir/yoyo_ad_servers "$list_addr" && \
d9cda3
 $CAT $work_dir/yoyo_ad_servers | \
d9cda3
+$TR -d '";$\\' | \
d9cda3
 while read line ; \
d9cda3
  do \
d9cda3
    $ECHO "local-zone: \"$line\" redirect" ;\
d9cda3
@@ -36,4 +39,4 @@ echo "Done."
d9cda3
 #  the unbound_ad_servers file:
d9cda3
 #
d9cda3
 #   include: $dst_dir/unbound_ad_servers
d9cda3
-#
d9cda3
\ No newline at end of file
d9cda3
+#
d9cda3
diff --git a/daemon/daemon.c b/daemon/daemon.c
d9cda3
index 6820e11..1b4f329 100644
d9cda3
--- a/daemon/daemon.c
d9cda3
+++ b/daemon/daemon.c
d9cda3
@@ -426,9 +426,7 @@ daemon_create_workers(struct daemon* daemon)
d9cda3
 	int* shufport;
d9cda3
 	log_assert(daemon && daemon->cfg);
d9cda3
 	if(!daemon->rand) {
d9cda3
-		unsigned int seed = (unsigned int)time(NULL) ^ 
d9cda3
-			(unsigned int)getpid() ^ 0x438;
d9cda3
-		daemon->rand = ub_initstate(seed, NULL);
d9cda3
+		daemon->rand = ub_initstate(NULL);
d9cda3
 		if(!daemon->rand)
d9cda3
 			fatal_exit("could not init random generator");
d9cda3
 		hash_set_raninit((uint32_t)ub_random(daemon->rand));
d9cda3
diff --git a/daemon/worker.c b/daemon/worker.c
d9cda3
index 3acecc1..8354010 100644
d9cda3
--- a/daemon/worker.c
d9cda3
+++ b/daemon/worker.c
d9cda3
@@ -1629,18 +1629,14 @@ worker_create(struct daemon* daemon, int id, int* ports, int n)
d9cda3
 		return NULL;
d9cda3
 	}
d9cda3
 	/* create random state here to avoid locking trouble in RAND_bytes */
d9cda3
-	seed = (unsigned int)time(NULL) ^ (unsigned int)getpid() ^
d9cda3
-		(((unsigned int)worker->thread_num)<<17);
d9cda3
-		/* shift thread_num so it does not match out pid bits */
d9cda3
-	if(!(worker->rndstate = ub_initstate(seed, daemon->rand))) {
d9cda3
-		seed = 0;
d9cda3
+	if(!(worker->rndstate = ub_initstate(daemon->rand))) {
d9cda3
 		log_err("could not init random numbers.");
d9cda3
 		tube_delete(worker->cmd);
d9cda3
 		free(worker->ports);
d9cda3
 		free(worker);
d9cda3
 		return NULL;
d9cda3
 	}
d9cda3
-	seed = 0;
d9cda3
+	explicit_bzero(&seed, sizeof(seed));
d9cda3
 #ifdef USE_DNSTAP
d9cda3
 	if(daemon->cfg->dnstap) {
d9cda3
 		log_assert(daemon->dtenv != NULL);
d9cda3
diff --git a/dns64/dns64.c b/dns64/dns64.c
d9cda3
index 7889d72..300202c 100644
d9cda3
--- a/dns64/dns64.c
d9cda3
+++ b/dns64/dns64.c
d9cda3
@@ -782,6 +782,16 @@ dns64_inform_super(struct module_qstate* qstate, int id,
d9cda3
 	 * Signal that the sub-query is finished, no matter whether we are
d9cda3
 	 * successful or not. This lets the state machine terminate.
d9cda3
 	 */
d9cda3
+	if(!super->minfo[id]) {
d9cda3
+		super->minfo[id] = (enum dns64_qstate *)regional_alloc(super->region,
d9cda3
+			sizeof(*(super->minfo[id])));
d9cda3
+		if(!super->minfo[id]) {
d9cda3
+			log_err("out of memory");
d9cda3
+			super->return_rcode = LDNS_RCODE_SERVFAIL;
d9cda3
+			super->return_msg = NULL;
d9cda3
+			return;
d9cda3
+		}
d9cda3
+	}
d9cda3
	super->minfo[id] = (void*)DNS64_SUBQUERY_FINISHED;
d9cda3
 
d9cda3
 	/* If there is no successful answer, we're done. */
d9cda3
diff --git a/dnscrypt/dnscrypt.c b/dnscrypt/dnscrypt.c
d9cda3
index 3545d3d..7dd2ce5 100644
d9cda3
--- a/dnscrypt/dnscrypt.c
d9cda3
+++ b/dnscrypt/dnscrypt.c
d9cda3
@@ -732,6 +732,11 @@ dnsc_load_local_data(struct dnsc_env* dnscenv, struct config_file *cfg)
d9cda3
             );
d9cda3
             continue;
d9cda3
         }
d9cda3
+        if((unsigned)strlen(dnscenv->provider_name) >= (unsigned)0xffff0000) {
d9cda3
+		    /* guard against integer overflow in rrlen calculation */
d9cda3
+		    verbose(VERB_OPS, "cert #%" PRIu32 " is too long", serial);
d9cda3
+		    continue;
d9cda3
+        }
d9cda3
         rrlen = strlen(dnscenv->provider_name) +
d9cda3
                          strlen(ttl_class_type) +
d9cda3
                          4 * sizeof(struct SignedCert) + // worst case scenario
d9cda3
diff --git a/doc/Changelog b/doc/Changelog
d9cda3
index bb74461..4cb080e 100644
d9cda3
--- a/doc/Changelog
d9cda3
+++ b/doc/Changelog
d9cda3
@@ -1,3 +1,55 @@
d9cda3
+3 December 2019: Wouter
d9cda3
+	- Fix Assert Causing DoS in synth_cname(),
d9cda3
+	  reported by X41 D-Sec.
d9cda3
+	- Fix Assert Causing DoS in dname_pkt_copy(),
d9cda3
+	  reported by X41 D-Sec.
d9cda3
+	- Fix OOB Read in sldns_wire2str_dname_scan(),
d9cda3
+	  reported by X41 D-Sec.
d9cda3
+	- Fix Out of Bounds Write in sldns_str2wire_str_buf(),
d9cda3
+	  reported by X41 D-Sec.
d9cda3
+	- Fix Out of Bounds Write in sldns_b64_pton(),
d9cda3
+	  fixed by check in sldns_str2wire_int16_data_buf(),
d9cda3
+	  reported by X41 D-Sec.
d9cda3
+	- Fix Insufficient Handling of Compressed Names in dname_pkt_copy(),
d9cda3
+	  reported by X41 D-Sec.
d9cda3
+	- Fix Out of Bound Write Compressed Names in rdata_copy(),
d9cda3
+	  reported by X41 D-Sec.
d9cda3
+	- Fix Hang in sldns_wire2str_pkt_scan(),
d9cda3
+	  reported by X41 D-Sec.
d9cda3
+
d9cda3
+20 November 2019: Wouter
d9cda3
+	- Fix Out of Bounds Read in rrinternal_get_owner(),
d9cda3
+	  reported by X41 D-Sec.
d9cda3
+	- Fix Race Condition in autr_tp_create(),
d9cda3
+	  reported by X41 D-Sec.
d9cda3
+	- Fix Shared Memory World Writeable,
d9cda3
+	  reported by X41 D-Sec.
d9cda3
+	- Adjust unbound-control to make stats_shm a read only operation.
d9cda3
+	- Fix Weak Entropy Used For Nettle,
d9cda3
+	  reported by X41 D-Sec.
d9cda3
+	- Fix Randomness Error not Handled Properly,
d9cda3
+	  reported by X41 D-Sec.
d9cda3
+	- Fix Out-of-Bounds Read in dname_valid(),
d9cda3
+	  reported by X41 D-Sec.
d9cda3
+	- Fix Config Injection in create_unbound_ad_servers.sh,
d9cda3
+	  reported by X41 D-Sec.
d9cda3
+
d9cda3
+19 November 2019: Wouter
d9cda3
+	- Fix Integer Overflow in Regional Allocator,
d9cda3
+	  reported by X41 D-Sec.
d9cda3
+	- Fix Unchecked NULL Pointer in dns64_inform_super()
d9cda3
+	  and ipsecmod_new(), reported by X41 D-Sec.
d9cda3
+	- Fix Out-of-bounds Read in rr_comment_dnskey(),
d9cda3
+	  reported by X41 D-Sec.
d9cda3
+	- Fix Integer Overflows in Size Calculations,
d9cda3
+	  reported by X41 D-Sec.
d9cda3
+	- Fix Integer Overflow to Buffer Overflow in
d9cda3
+	  sldns_str2wire_dname_buf_origin(), reported by X41 D-Sec.
d9cda3
+	- Fix Out of Bounds Read in sldns_str2wire_dname(),
d9cda3
+	  reported by X41 D-Sec.
d9cda3
+	- Fix Out of Bounds Write in sldns_bget_token_par(),
d9cda3
+	  reported by X41 D-Sec.
d9cda3
+
d9cda3
 30 November 2018: Wouter
d9cda3
 	- log-tag-queryreply: yes in unbound.conf tags the log-queries and
d9cda3
 	  log-replies in the log file for easier log filter maintenance.
d9cda3
diff --git a/ipsecmod/ipsecmod.c b/ipsecmod/ipsecmod.c
d9cda3
index 3572f12..1422a62 100644
d9cda3
--- a/ipsecmod/ipsecmod.c
d9cda3
+++ b/ipsecmod/ipsecmod.c
d9cda3
@@ -103,11 +103,11 @@ ipsecmod_new(struct module_qstate* qstate, int id)
d9cda3
 {
d9cda3
 	struct ipsecmod_qstate* iq = (struct ipsecmod_qstate*)regional_alloc(
d9cda3
 		qstate->region, sizeof(struct ipsecmod_qstate));
d9cda3
-	memset(iq, 0, sizeof(*iq));
d9cda3
 	qstate->minfo[id] = iq;
d9cda3
 	if(!iq)
d9cda3
 		return 0;
d9cda3
 	/* Initialise it. */
d9cda3
+	memset(iq, 0, sizeof(*iq));
d9cda3
 	iq->enabled = qstate->env->cfg->ipsecmod_enabled;
d9cda3
 	iq->is_whitelisted = ipsecmod_domain_is_whitelisted(
d9cda3
 		(struct ipsecmod_env*)qstate->env->modinfo[id], qstate->qinfo.qname,
d9cda3
diff --git a/iterator/iter_scrub.c b/iterator/iter_scrub.c
d9cda3
index 8230d17..942c3d5 100644
d9cda3
--- a/iterator/iter_scrub.c
d9cda3
+++ b/iterator/iter_scrub.c
d9cda3
@@ -231,6 +231,10 @@ synth_cname(uint8_t* qname, size_t qnamelen, struct rrset_parse* dname_rrset,
d9cda3
 	size_t dtarglen;
d9cda3
 	if(!parse_get_cname_target(dname_rrset, &dtarg, &dtarglen, pkt))
d9cda3
 		return 0; 
d9cda3
+	if(qnamelen <= dname_rrset->dname_len)
d9cda3
+		return 0;
d9cda3
+	if(qnamelen == 0)
d9cda3
+		return 0;
d9cda3
 	log_assert(qnamelen > dname_rrset->dname_len);
d9cda3
 	/* DNAME from com. to net. with qname example.com. -> example.net. */
d9cda3
 	/* so: \3com\0 to \3net\0 and qname \7example\3com\0 */
d9cda3
diff --git a/libunbound/libunbound.c b/libunbound/libunbound.c
d9cda3
index 275e8d2..a8979c2 100644
d9cda3
--- a/libunbound/libunbound.c
d9cda3
+++ b/libunbound/libunbound.c
d9cda3
@@ -83,7 +83,6 @@
d9cda3
 static struct ub_ctx* ub_ctx_create_nopipe(void)
d9cda3
 {
d9cda3
 	struct ub_ctx* ctx;
d9cda3
-	unsigned int seed;
d9cda3
 #ifdef USE_WINSOCK
d9cda3
 	int r;
d9cda3
 	WSADATA wsa_data;
d9cda3
@@ -107,15 +106,12 @@ static struct ub_ctx* ub_ctx_create_nopipe(void)
d9cda3
 		return NULL;
d9cda3
 	}
d9cda3
 	alloc_init(&ctx->superalloc, NULL, 0);
d9cda3
-	seed = (unsigned int)time(NULL) ^ (unsigned int)getpid();
d9cda3
-	if(!(ctx->seed_rnd = ub_initstate(seed, NULL))) {
d9cda3
-		seed = 0;
d9cda3
+	if(!(ctx->seed_rnd = ub_initstate(NULL))) {
d9cda3
 		ub_randfree(ctx->seed_rnd);
d9cda3
 		free(ctx);
d9cda3
 		errno = ENOMEM;
d9cda3
 		return NULL;
d9cda3
 	}
d9cda3
-	seed = 0;
d9cda3
 	lock_basic_init(&ctx->qqpipe_lock);
d9cda3
 	lock_basic_init(&ctx->rrpipe_lock);
d9cda3
 	lock_basic_init(&ctx->cfglock);
d9cda3
diff --git a/libunbound/libworker.c b/libunbound/libworker.c
d9cda3
index 3dcaa78..07a08c6 100644
d9cda3
--- a/libunbound/libworker.c
d9cda3
+++ b/libunbound/libworker.c
d9cda3
@@ -122,7 +122,6 @@ libworker_delete_event(struct libworker* w)
d9cda3
 static struct libworker*
d9cda3
 libworker_setup(struct ub_ctx* ctx, int is_bg, struct ub_event_base* eb)
d9cda3
 {
d9cda3
-	unsigned int seed;
d9cda3
 	struct libworker* w = (struct libworker*)calloc(1, sizeof(*w));
d9cda3
 	struct config_file* cfg = ctx->env->cfg;
d9cda3
 	int* ports;
d9cda3
@@ -177,17 +176,13 @@ libworker_setup(struct ub_ctx* ctx, int is_bg, struct ub_event_base* eb)
d9cda3
 	}
d9cda3
 	w->env->worker = (struct worker*)w;
d9cda3
 	w->env->probe_timer = NULL;
d9cda3
-	seed = (unsigned int)time(NULL) ^ (unsigned int)getpid() ^
d9cda3
-		(((unsigned int)w->thread_num)<<17);
d9cda3
-	seed ^= (unsigned int)w->env->alloc->next_id;
d9cda3
 	if(!w->is_bg || w->is_bg_thread) {
d9cda3
 		lock_basic_lock(&ctx->cfglock);
d9cda3
 	}
d9cda3
-	if(!(w->env->rnd = ub_initstate(seed, ctx->seed_rnd))) {
d9cda3
+	if(!(w->env->rnd = ub_initstate(ctx->seed_rnd))) {
d9cda3
 		if(!w->is_bg || w->is_bg_thread) {
d9cda3
 			lock_basic_unlock(&ctx->cfglock);
d9cda3
 		}
d9cda3
-		seed = 0;
d9cda3
 		libworker_delete(w);
d9cda3
 		return NULL;
d9cda3
 	}
d9cda3
@@ -207,7 +202,6 @@ libworker_setup(struct ub_ctx* ctx, int is_bg, struct ub_event_base* eb)
d9cda3
 			hash_set_raninit((uint32_t)ub_random(w->env->rnd));
d9cda3
 		}
d9cda3
 	}
d9cda3
-	seed = 0;
d9cda3
 
d9cda3
 	if(eb)
d9cda3
 		w->base = comm_base_create_event(eb);
d9cda3
diff --git a/respip/respip.c b/respip/respip.c
d9cda3
index 2e9313f..7d2a588 100644
d9cda3
--- a/respip/respip.c
d9cda3
+++ b/respip/respip.c
d9cda3
@@ -475,10 +475,16 @@ copy_rrset(const struct ub_packed_rrset_key* key, struct regional* region)
d9cda3
 	if(!ck->rk.dname)
d9cda3
 		return NULL;
d9cda3
 
d9cda3
+	if((unsigned)data->count >= 0xffff00U)
d9cda3
+		return NULL; /* guard against integer overflow in dsize */
d9cda3
 	dsize = sizeof(struct packed_rrset_data) + data->count *
d9cda3
 		(sizeof(size_t)+sizeof(uint8_t*)+sizeof(time_t));
d9cda3
-	for(i=0; i<data->count; i++)
d9cda3
+	for(i=0; i<data->count; i++) {
d9cda3
+		if((unsigned)dsize >= 0x0fffffffU ||
d9cda3
+			(unsigned)data->rr_len[i] >= 0x0fffffffU)
d9cda3
+			return NULL; /* guard against integer overflow */
d9cda3
 		dsize += data->rr_len[i];
d9cda3
+	}
d9cda3
 	d = regional_alloc(region, dsize);
d9cda3
 	if(!d)
d9cda3
 		return NULL;
d9cda3
diff --git a/sldns/parse.c b/sldns/parse.c
d9cda3
index b62c405..b30264e 100644
d9cda3
--- a/sldns/parse.c
d9cda3
+++ b/sldns/parse.c
d9cda3
@@ -325,8 +325,14 @@ sldns_bget_token_par(sldns_buffer *b, char *token, const char *delim,
d9cda3
 		if (c == '\n' && p != 0) {
d9cda3
 			/* in parentheses */
d9cda3
 			/* do not write ' ' if we want to skip spaces */
d9cda3
-			if(!(skipw && (strchr(skipw, c)||strchr(skipw, ' '))))
d9cda3
+			if(!(skipw && (strchr(skipw, c)||strchr(skipw, ' ')))) {
d9cda3
+				/* check for space for the space character */
d9cda3
+				if (limit > 0 && (i >= limit || (size_t)(t-token) >= limit)) {
d9cda3
+					*t = '\0';
d9cda3
+					return -1;
d9cda3
+				}
d9cda3
 				*t++ = ' ';
d9cda3
+			}
d9cda3
 			lc = c;
d9cda3
 			continue;
d9cda3
 		}
d9cda3
diff --git a/sldns/str2wire.c b/sldns/str2wire.c
d9cda3
index 1a51bb6..414b7b8 100644
d9cda3
--- a/sldns/str2wire.c
d9cda3
+++ b/sldns/str2wire.c
d9cda3
@@ -150,6 +150,10 @@ int sldns_str2wire_dname_buf_origin(const char* str, uint8_t* buf, size_t* len,
d9cda3
 	if(s) return s;
d9cda3
 
d9cda3
 	if(rel && origin && dlen > 0) {
d9cda3
+		if((unsigned)dlen >= 0x00ffffffU ||
d9cda3
+			(unsigned)origin_len >= 0x00ffffffU)
d9cda3
+			/* guard against integer overflow in addition */
d9cda3
+			return RET_ERR(LDNS_WIREPARSE_ERR_GENERAL, *len);
d9cda3
 		if(dlen + origin_len - 1 > LDNS_MAX_DOMAINLEN)
d9cda3
 			return RET_ERR(LDNS_WIREPARSE_ERR_DOMAINNAME_OVERFLOW,
d9cda3
 				LDNS_MAX_DOMAINLEN);
d9cda3
@@ -168,7 +172,9 @@ uint8_t* sldns_str2wire_dname(const char* str, size_t* len)
d9cda3
 	uint8_t dname[LDNS_MAX_DOMAINLEN+1];
d9cda3
 	*len = sizeof(dname);
d9cda3
 	if(sldns_str2wire_dname_buf(str, dname, len) == 0) {
d9cda3
-		uint8_t* r = (uint8_t*)malloc(*len);
d9cda3
+		uint8_t* r;
d9cda3
+		if(*len > sizeof(dname)) return NULL;
d9cda3
+		r = (uint8_t*)malloc(*len);
d9cda3
 		if(r) return memcpy(r, dname, *len);
d9cda3
 	}
d9cda3
 	*len = 0;
d9cda3
@@ -187,6 +193,9 @@ rrinternal_get_owner(sldns_buffer* strbuf, uint8_t* rr, size_t* len,
d9cda3
 			sldns_buffer_position(strbuf));
d9cda3
 	}
d9cda3
 
d9cda3
+	if(token_len < 2) /* make sure there is space to read "@" or "" */
d9cda3
+		return RET_ERR(LDNS_WIREPARSE_ERR_BUFFER_TOO_SMALL,
d9cda3
+			sldns_buffer_position(strbuf));
d9cda3
 	if(strcmp(token, "@") == 0) {
d9cda3
 		uint8_t* tocopy;
d9cda3
 		if (origin) {
d9cda3
@@ -1094,7 +1103,7 @@ int sldns_str2wire_str_buf(const char* str, uint8_t* rd, size_t* len)
d9cda3
 	while(sldns_parse_char(&ch, &s)) {
d9cda3
 		if(sl >= 255)
d9cda3
 			return RET_ERR(LDNS_WIREPARSE_ERR_INVALID_STR, s-str);
d9cda3
-		if(*len < sl+1)
d9cda3
+		if(*len < sl+2)
d9cda3
 			return RET_ERR(LDNS_WIREPARSE_ERR_BUFFER_TOO_SMALL,
d9cda3
 				s-str);
d9cda3
 		rd[++sl] = ch;
d9cda3
@@ -2095,6 +2104,8 @@ int sldns_str2wire_int16_data_buf(const char* str, uint8_t* rd, size_t* len)
d9cda3
 	char* s;
d9cda3
 	int n;
d9cda3
 	n = strtol(str, &s, 10);
d9cda3
+	if(n < 0) /* negative number not allowed */
d9cda3
+		return LDNS_WIREPARSE_ERR_SYNTAX;
d9cda3
 	if(*len < ((size_t)n)+2)
d9cda3
 		return LDNS_WIREPARSE_ERR_BUFFER_TOO_SMALL;
d9cda3
 	if(n > 65535)
d9cda3
diff --git a/sldns/wire2str.c b/sldns/wire2str.c
d9cda3
index 832239f..a95c9b3 100644
d9cda3
--- a/sldns/wire2str.c
d9cda3
+++ b/sldns/wire2str.c
d9cda3
@@ -585,6 +585,7 @@ static int rr_comment_dnskey(char** s, size_t* slen, uint8_t* rr,
d9cda3
 	if(rrlen < dname_off + 10) return 0;
d9cda3
 	rdlen = sldns_read_uint16(rr+dname_off+8);
d9cda3
 	if(rrlen < dname_off + 10 + rdlen) return 0;
d9cda3
+	if(rdlen < 2) return 0;
d9cda3
 	rdata = rr + dname_off + 10;
d9cda3
 	flags = (int)sldns_read_uint16(rdata);
d9cda3
 	w += sldns_str_print(s, slen, " ;{");
d9cda3
@@ -781,7 +782,7 @@ int sldns_wire2str_dname_scan(uint8_t** d, size_t* dlen, char** s, size_t* slen,
d9cda3
 	/* spool labels onto the string, use compression if its there */
d9cda3
 	uint8_t* pos = *d;
d9cda3
 	unsigned i, counter=0;
d9cda3
-	const unsigned maxcompr = 1000; /* loop detection, max compr ptrs */
d9cda3
+	const unsigned maxcompr = 256; /* loop detection, max compr ptrs */
d9cda3
 	int in_buf = 1;
d9cda3
 	if(*dlen == 0) return sldns_str_print(s, slen, "ErrorMissingDname");
d9cda3
 	if(*pos == 0) {
d9cda3
@@ -789,7 +790,7 @@ int sldns_wire2str_dname_scan(uint8_t** d, size_t* dlen, char** s, size_t* slen,
d9cda3
 		(*dlen)--;
d9cda3
 		return sldns_str_print(s, slen, ".");
d9cda3
 	}
d9cda3
-	while(*pos) {
d9cda3
+	while((!pkt || pos < pkt+pktlen) && *pos) {
d9cda3
 		/* read label length */
d9cda3
 		uint8_t labellen = *pos++;
d9cda3
 		if(in_buf) { (*d)++; (*dlen)--; }
d9cda3
diff --git a/smallapp/unbound-control.c b/smallapp/unbound-control.c
d9cda3
index d165417..2884309 100644
d9cda3
--- a/smallapp/unbound-control.c
d9cda3
+++ b/smallapp/unbound-control.c
d9cda3
@@ -407,19 +407,19 @@ static void print_stats_shm(const char* cfgfile)
d9cda3
 	if(!config_read(cfg, cfgfile, NULL))
d9cda3
 		fatal_exit("could not read config file");
d9cda3
 	/* get shm segments */
d9cda3
-	id_ctl = shmget(cfg->shm_key, sizeof(int), SHM_R|SHM_W);
d9cda3
+	id_ctl = shmget(cfg->shm_key, sizeof(int), SHM_R);
d9cda3
 	if(id_ctl == -1) {
d9cda3
 		fatal_exit("shmget(%d): %s", cfg->shm_key, strerror(errno));
d9cda3
 	}
d9cda3
-	id_arr = shmget(cfg->shm_key+1, sizeof(int), SHM_R|SHM_W);
d9cda3
+	id_arr = shmget(cfg->shm_key+1, sizeof(int), SHM_R);
d9cda3
 	if(id_arr == -1) {
d9cda3
 		fatal_exit("shmget(%d): %s", cfg->shm_key+1, strerror(errno));
d9cda3
 	}
d9cda3
-	shm_stat = (struct ub_shm_stat_info*)shmat(id_ctl, NULL, 0);
d9cda3
+	shm_stat = (struct ub_shm_stat_info*)shmat(id_ctl, NULL, SHM_RDONLY);
d9cda3
 	if(shm_stat == (void*)-1) {
d9cda3
 		fatal_exit("shmat(%d): %s", id_ctl, strerror(errno));
d9cda3
 	}
d9cda3
-	stats = (struct ub_stats_info*)shmat(id_arr, NULL, 0);
d9cda3
+	stats = (struct ub_stats_info*)shmat(id_arr, NULL, SHM_RDONLY);
d9cda3
 	if(stats == (void*)-1) {
d9cda3
 		fatal_exit("shmat(%d): %s", id_arr, strerror(errno));
d9cda3
 	}
d9cda3
diff --git a/testcode/unitmain.c b/testcode/unitmain.c
d9cda3
index fecde80..96a6654 100644
d9cda3
--- a/testcode/unitmain.c
d9cda3
+++ b/testcode/unitmain.c
d9cda3
@@ -537,10 +537,8 @@ rnd_test(void)
d9cda3
 	struct ub_randstate* r;
d9cda3
 	int num = 1000, i;
d9cda3
 	long int a[1000];
d9cda3
-	unsigned int seed = (unsigned)time(NULL);
d9cda3
 	unit_show_feature("ub_random");
d9cda3
-	printf("ub_random seed is %u\n", seed);
d9cda3
-	unit_assert( (r = ub_initstate(seed, NULL)) );
d9cda3
+	unit_assert( (r = ub_initstate(NULL)) );
d9cda3
 	for(i=0; i
d9cda3
 		a[i] = ub_random(r);
d9cda3
 		unit_assert(a[i] >= 0);
d9cda3
diff --git a/util/data/dname.c b/util/data/dname.c
d9cda3
index b744f06..923be02 100644
d9cda3
--- a/util/data/dname.c
d9cda3
+++ b/util/data/dname.c
d9cda3
@@ -75,6 +75,8 @@ dname_valid(uint8_t* dname, size_t maxlen)
d9cda3
 {
d9cda3
 	size_t len = 0;
d9cda3
 	size_t labellen;
d9cda3
+	if(maxlen == 0)
d9cda3
+		return 0; /* too short, shortest is '0' root label */
d9cda3
 	labellen = *dname++;
d9cda3
 	while(labellen) {
d9cda3
 		if(labellen&0xc0)
d9cda3
@@ -345,11 +347,17 @@ dname_pkt_hash(sldns_buffer* pkt, uint8_t* dname, hashvalue_type h)
d9cda3
 void dname_pkt_copy(sldns_buffer* pkt, uint8_t* to, uint8_t* dname)
d9cda3
 {
d9cda3
 	/* copy over the dname and decompress it at the same time */
d9cda3
+	size_t comprcount = 0;
d9cda3
 	size_t len = 0;
d9cda3
 	uint8_t lablen;
d9cda3
 	lablen = *dname++;
d9cda3
 	while(lablen) {
d9cda3
 		if(LABEL_IS_PTR(lablen)) {
d9cda3
+			if(comprcount++ > MAX_COMPRESS_PTRS) {
d9cda3
+				/* too many compression pointers */
d9cda3
+				*to = 0; /* end the result prematurely */
d9cda3
+				return;
d9cda3
+			}
d9cda3
 			/* follow pointer */
d9cda3
             if((size_t)PTR_OFFSET(lablen, *dname)
d9cda3
                 >= sldns_buffer_limit(pkt))
d9cda3
@@ -358,6 +366,10 @@ void dname_pkt_copy(sldns_buffer* pkt, uint8_t* to, uint8_t* dname)
d9cda3
 			lablen = *dname++;
d9cda3
 			continue;
d9cda3
 		}
d9cda3
+		if(lablen > LDNS_MAX_LABELLEN) {
d9cda3
+			*to = 0; /* end the result prematurely */
d9cda3
+			return;
d9cda3
+		}
d9cda3
 		log_assert(lablen <= LDNS_MAX_LABELLEN);
d9cda3
 		len += (size_t)lablen+1;
d9cda3
 		if(len >= LDNS_MAX_DOMAINLEN) {
d9cda3
diff --git a/util/data/msgreply.c b/util/data/msgreply.c
d9cda3
index df2131c..dbae34d 100644
d9cda3
--- a/util/data/msgreply.c
d9cda3
+++ b/util/data/msgreply.c
d9cda3
@@ -238,10 +238,10 @@ rdata_copy(sldns_buffer* pkt, struct packed_rrset_data* data, uint8_t* to,
d9cda3
 				break;
d9cda3
 			}
d9cda3
 			if(len) {
d9cda3
+				log_assert(len <= pkt_len);
d9cda3
 				memmove(to, sldns_buffer_current(pkt), len);
d9cda3
 				to += len;
d9cda3
 				sldns_buffer_skip(pkt, (ssize_t)len);
d9cda3
-				log_assert(len <= pkt_len);
d9cda3
 				pkt_len -= len;
d9cda3
 			}
d9cda3
 			rdf++;
d9cda3
diff --git a/util/random.c b/util/random.c
d9cda3
index 8332960..9380502 100644
d9cda3
--- a/util/random.c
d9cda3
+++ b/util/random.c
d9cda3
@@ -86,8 +86,7 @@ ub_systemseed(unsigned int ATTR_UNUSED(seed))
d9cda3
 }
d9cda3
 
d9cda3
 struct ub_randstate* 
d9cda3
-ub_initstate(unsigned int ATTR_UNUSED(seed),
d9cda3
-	struct ub_randstate* ATTR_UNUSED(from))
d9cda3
+ub_initstate(struct ub_randstate* ATTR_UNUSED(from))
d9cda3
 {
d9cda3
 	struct ub_randstate* s = (struct ub_randstate*)malloc(1);
d9cda3
 	if(!s) {
d9cda3
@@ -123,8 +122,8 @@ void ub_systemseed(unsigned int ATTR_UNUSED(seed))
d9cda3
 {
d9cda3
 }
d9cda3
 
d9cda3
-struct ub_randstate* ub_initstate(unsigned int ATTR_UNUSED(seed), 
d9cda3
-	struct ub_randstate* ATTR_UNUSED(from))
d9cda3
+struct ub_randstate* 
d9cda3
+ub_initstate(struct ub_randstate* ATTR_UNUSED(from))
d9cda3
 {
d9cda3
 	struct ub_randstate* s = (struct ub_randstate*)calloc(1, sizeof(*s));
d9cda3
 	if(!s) {
d9cda3
@@ -140,7 +139,9 @@ long int ub_random(struct ub_randstate* ATTR_UNUSED(state))
d9cda3
 	/* random 31 bit value. */
d9cda3
 	SECStatus s = PK11_GenerateRandom((unsigned char*)&x, (int)sizeof(x));
d9cda3
 	if(s != SECSuccess) {
d9cda3
-		log_err("PK11_GenerateRandom error: %s",
d9cda3
+		/* unbound needs secure randomness for randomized
d9cda3
+		 * ID bits and port numbers in packets to upstream servers */
d9cda3
+		fatal_exit("PK11_GenerateRandom error: %s",
d9cda3
 			PORT_ErrorToString(PORT_GetError()));
d9cda3
 	}
d9cda3
 	return x & MAX_VALUE;
d9cda3
@@ -166,8 +167,7 @@ void ub_systemseed(unsigned int ATTR_UNUSED(seed))
d9cda3
 	log_err("Re-seeding not supported, generator untouched");
d9cda3
 }
d9cda3
 
d9cda3
-struct ub_randstate* ub_initstate(unsigned int seed,
d9cda3
-	struct ub_randstate* ATTR_UNUSED(from))
d9cda3
+struct ub_randstate* ub_initstate(struct ub_randstate* ATTR_UNUSED(from))
d9cda3
 {
d9cda3
 	struct ub_randstate* s = (struct ub_randstate*)calloc(1, sizeof(*s));
d9cda3
 	uint8_t buf[YARROW256_SEED_FILE_SIZE];
d9cda3
@@ -183,15 +183,10 @@ struct ub_randstate* ub_initstate(unsigned int seed,
d9cda3
 		yarrow256_seed(&s->ctx, YARROW256_SEED_FILE_SIZE, buf);
d9cda3
 		s->seeded = yarrow256_is_seeded(&s->ctx);
d9cda3
 	} else {
d9cda3
-		/* Stretch the uint32 input seed and feed it to Yarrow */
d9cda3
-		uint32_t v = seed;
d9cda3
-		size_t i;
d9cda3
-		for(i=0; i < (YARROW256_SEED_FILE_SIZE/sizeof(seed)); i++) {
d9cda3
-			memmove(buf+i*sizeof(seed), &v, sizeof(seed));
d9cda3
-			v = v*seed + (uint32_t)i;
d9cda3
-		}
d9cda3
-		yarrow256_seed(&s->ctx, YARROW256_SEED_FILE_SIZE, buf);
d9cda3
-		s->seeded = yarrow256_is_seeded(&s->ctx);
d9cda3
+		log_err("nettle random(yarrow) cannot initialize, "
d9cda3
+			"getentropy failed: %s", strerror(errno));
d9cda3
+		free(s);
d9cda3
+		return NULL;
d9cda3
 	}
d9cda3
 
d9cda3
 	return s;
d9cda3
diff --git a/util/random.h b/util/random.h
d9cda3
index a05a994..e75157d 100644
d9cda3
--- a/util/random.h
d9cda3
+++ b/util/random.h
d9cda3
@@ -57,15 +57,12 @@ void ub_systemseed(unsigned int seed);
d9cda3
 
d9cda3
 /**
d9cda3
  * Initialize a random generator state for use 
d9cda3
- * @param seed: seed value to create state contents.
d9cda3
- *	(ignored for arc4random).
d9cda3
  * @param from: if not NULL, the seed is taken from this random structure.
d9cda3
  * 	can be used to seed random states via a parent-random-state that
d9cda3
  * 	is itself seeded with entropy.
d9cda3
  * @return new state or NULL alloc failure.
d9cda3
  */
d9cda3
-struct ub_randstate* ub_initstate(unsigned int seed, 
d9cda3
-	struct ub_randstate* from);
d9cda3
+struct ub_randstate* ub_initstate(struct ub_randstate* from);
d9cda3
 
d9cda3
 /**
d9cda3
  * Generate next random number from the state passed along.
d9cda3
diff --git a/util/regional.c b/util/regional.c
d9cda3
index 899a54e..5be09eb 100644
d9cda3
--- a/util/regional.c
d9cda3
+++ b/util/regional.c
d9cda3
@@ -120,8 +120,18 @@ regional_destroy(struct regional *r)
d9cda3
 void *
d9cda3
 regional_alloc(struct regional *r, size_t size)
d9cda3
 {
d9cda3
-	size_t a = ALIGN_UP(size, ALIGNMENT);
d9cda3
+	size_t a;
d9cda3
 	void *s;
d9cda3
+	if(
d9cda3
+#if SIZEOF_SIZE_T == 8
d9cda3
+		(unsigned long long)size >= 0xffffffffffffff00ULL
d9cda3
+#else
d9cda3
+		(unsigned)size >= (unsigned)0xffffff00UL
d9cda3
+#endif
d9cda3
+		)
d9cda3
+		return NULL; /* protect against integer overflow in
d9cda3
+			malloc and ALIGN_UP */
d9cda3
+	a = ALIGN_UP(size, ALIGNMENT);
d9cda3
 	/* large objects */
d9cda3
 	if(a > REGIONAL_LARGE_OBJECT_SIZE) {
d9cda3
 		s = malloc(ALIGNMENT + size);
d9cda3
diff --git a/util/shm_side/shm_main.c b/util/shm_side/shm_main.c
d9cda3
index a783c09..69bee4d 100644
d9cda3
--- a/util/shm_side/shm_main.c
d9cda3
+++ b/util/shm_side/shm_main.c
d9cda3
@@ -121,7 +121,7 @@ int shm_main_init(struct daemon* daemon)
d9cda3
 		shmctl(daemon->shm_info->id_arr, IPC_RMID, NULL);
d9cda3
 
d9cda3
 	/* SHM: Create the segment */
d9cda3
-	daemon->shm_info->id_ctl = shmget(daemon->shm_info->key, sizeof(struct ub_shm_stat_info), IPC_CREAT | 0666);
d9cda3
+	daemon->shm_info->id_ctl = shmget(daemon->shm_info->key, sizeof(struct ub_shm_stat_info), IPC_CREAT | 0644);
d9cda3
 
d9cda3
 	if (daemon->shm_info->id_ctl < 0)
d9cda3
 	{
d9cda3
@@ -134,7 +134,7 @@ int shm_main_init(struct daemon* daemon)
d9cda3
 		return 0;
d9cda3
 	}
d9cda3
 
d9cda3
-	daemon->shm_info->id_arr = shmget(daemon->shm_info->key + 1, shm_size, IPC_CREAT | 0666);
d9cda3
+	daemon->shm_info->id_arr = shmget(daemon->shm_info->key + 1, shm_size, IPC_CREAT | 0644);
d9cda3
 
d9cda3
 	if (daemon->shm_info->id_arr < 0)
d9cda3
 	{
d9cda3
diff --git a/validator/autotrust.c b/validator/autotrust.c
d9cda3
index 7bc5577..e19bd7b 100644
d9cda3
--- a/validator/autotrust.c
d9cda3
+++ b/validator/autotrust.c
d9cda3
@@ -370,10 +370,10 @@ autr_tp_create(struct val_anchors* anchors, uint8_t* own, size_t own_len,
d9cda3
 		free(tp);
d9cda3
 		return NULL;
d9cda3
 	}
d9cda3
-	lock_basic_unlock(&anchors->lock);
d9cda3
 	lock_basic_init(&tp->lock);
d9cda3
 	lock_protect(&tp->lock, tp, sizeof(*tp));
d9cda3
 	lock_protect(&tp->lock, tp->autr, sizeof(*tp->autr));
d9cda3
+	lock_basic_unlock(&anchors->lock);
d9cda3
 	return tp;
d9cda3
 }
d9cda3