upstream/bind9
1
0
Fork 0
mirror of https://github.com/isc-projects/bind9.git synced 2026-05-21 09:26:12 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions 6

Fix isc_buffer_init capacity mismatch in DoH data chunk callback

Browse source 
isc_buffer_init() is given MAX_DNS_MESSAGE_SIZE (65535) as capacity but
only h2->content_length bytes are allocated.  This makes the buffer
believe it has more space than actually allocated.  A secondary bounds
check (new_bufsize <= h2->content_length) prevents actual overflow, but
the buffer invariant is violated.

Pass h2->content_length as the capacity to match the allocation.
This commit is contained in:
Ondřej Surý 2026-03-11 13:17:45 +01:00
parent 929eccdfdc
commit 8e240bbb5f
1 changed files with 2 additions and 4 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

6
lib/isc/netmgr/http.c
View file

@ -642,13 +642,11 @@ on_server_data_chunk_recv_callback(int32_t stream_id, const uint8_t *data,
&h2->rbuf,
isc_mem_allocate(mctx,
h2->content_length),
MAX_DNS_MESSAGE_SIZE);
h2->content_length);
}
size_t new_bufsize = isc_buffer_usedlength(&h2->rbuf) +
len;
if (new_bufsize <= MAX_DNS_MESSAGE_SIZE &&
new_bufsize <= h2->content_length)
{
if (new_bufsize <= h2->content_length) {
session->processed_useful_data += len;
isc_buffer_putmem(&h2->rbuf, data, len);
break;