upstream/bind9
1
0
Fork 0
mirror of https://github.com/isc-projects/bind9.git synced 2026-06-11 06:19:59 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions 2

[9.20] fix: dev: Fix isc_buffer_init capacity mismatch in DoH data chunk callback

Browse source 
isc_buffer_init() is given MAX_DNS_MESSAGE_SIZE (65535) as capacity but
only h2->content_length bytes are allocated.  This makes the buffer
believe it has more space than actually allocated.  A secondary bounds
check (new_bufsize <= h2->content_length) prevents actual overflow, but
the buffer invariant is violated.

Pass h2->content_length as the capacity to match the allocation.

Backport of MR !11662

Merge branch 'backport-ondrej/fix-isc_buffer_init-capacity-mismatch-in-DoH-9.20' into 'bind-9.20'

See merge request isc-projects/bind9!11709
This commit is contained in:
Ondřej Surý 2026-03-18 15:26:29 +01:00
commit f0a2b07359
1 changed files with 2 additions and 4 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

6
lib/isc/netmgr/http.c
View file

@ -644,13 +644,11 @@ on_server_data_chunk_recv_callback(int32_t stream_id, const uint8_t *data,
&h2->rbuf,
isc_mem_allocate(mctx,
h2->content_length),
MAX_DNS_MESSAGE_SIZE);
h2->content_length);
}
size_t new_bufsize = isc_buffer_usedlength(&h2->rbuf) +
len;
if (new_bufsize <= MAX_DNS_MESSAGE_SIZE &&
new_bufsize <= h2->content_length)
{
if (new_bufsize <= h2->content_length) {
session->processed_useful_data += len;
isc_buffer_putmem(&h2->rbuf, data, len);
break;