BUG/MINOR: resolvers: relax size checks in authority record parsing

Both boundary checks in the authority record parsing loop of resolv_validate_dns_response() use >= bufend where they should use > bufend, causing valid DNS responses with exactly enough bytes to be rejected as invalid. The first one, "reader + offset + 10 >= bufend" is too strict since it prevents 10-byte responses from being accepted as valid while they are. The second one, "reader + len >= bufend" has the same issue, when exactly len bytes remain, the check rejects it even though dns_max_name() already validated it. It may be backported though it is unlikely to ever be noticed.
2026-05-25 10:42:14 -04:00 · 2026-05-22 06:47:39 +00:00 · 2026-05-22 06:47:39 +00:00 · 480c247ebd
commit 480c247ebd
parent 14957b4a49
1 changed files with 2 additions and 2 deletions
--- a/src/resolvers.c
+++ b/src/resolvers.c
@ -1435,7 +1435,7 @@ static int resolv_validate_dns_response(unsigned char *resp, unsigned char *bufe
 		if (len == 0)
 			goto invalid_resp;

-		if (reader + offset + 10 >= bufend)
+		if (reader + offset + 10 > bufend)
 			goto invalid_resp;

 		reader += offset;
@ -1449,7 +1449,7 @@ static int resolv_validate_dns_response(unsigned char *resp, unsigned char *bufe
 		len = reader[0] * 256 + reader[1];
 		reader += 2;

-		if (reader + len >= bufend)
+		if (reader + len > bufend)
 			goto invalid_resp;

 		reader += len;