From 8e240bbb5ff563b1caaa13afdd1338079e2d751b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ond=C5=99ej=20Sur=C3=BD?= Date: Wed, 11 Mar 2026 13:17:45 +0100 Subject: [PATCH] Fix isc_buffer_init capacity mismatch in DoH data chunk callback isc_buffer_init() is given MAX_DNS_MESSAGE_SIZE (65535) as capacity but only h2->content_length bytes are allocated. This makes the buffer believe it has more space than actually allocated. A secondary bounds check (new_bufsize <= h2->content_length) prevents actual overflow, but the buffer invariant is violated. Pass h2->content_length as the capacity to match the allocation. --- lib/isc/netmgr/http.c | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/lib/isc/netmgr/http.c b/lib/isc/netmgr/http.c index 645f256059..4d8fe48174 100644 --- a/lib/isc/netmgr/http.c +++ b/lib/isc/netmgr/http.c @@ -642,13 +642,11 @@ on_server_data_chunk_recv_callback(int32_t stream_id, const uint8_t *data, &h2->rbuf, isc_mem_allocate(mctx, h2->content_length), - MAX_DNS_MESSAGE_SIZE); + h2->content_length); } size_t new_bufsize = isc_buffer_usedlength(&h2->rbuf) + len; - if (new_bufsize <= MAX_DNS_MESSAGE_SIZE && - new_bufsize <= h2->content_length) - { + if (new_bufsize <= h2->content_length) { session->processed_useful_data += len; isc_buffer_putmem(&h2->rbuf, data, len); break;