From 480c247ebda3dbc2e1d7d627ef66fca26974ca60 Mon Sep 17 00:00:00 2001 From: Willy Tarreau Date: Fri, 22 May 2026 06:47:39 +0000 Subject: [PATCH] BUG/MINOR: resolvers: relax size checks in authority record parsing Both boundary checks in the authority record parsing loop of resolv_validate_dns_response() use >= bufend where they should use > bufend, causing valid DNS responses with exactly enough bytes to be rejected as invalid. The first one, "reader + offset + 10 >= bufend" is too strict since it prevents 10-byte responses from being accepted as valid while they are. The second one, "reader + len >= bufend" has the same issue, when exactly len bytes remain, the check rejects it even though dns_max_name() already validated it. It may be backported though it is unlikely to ever be noticed. --- src/resolvers.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/resolvers.c b/src/resolvers.c index af38ca357..1bcbdb857 100644 --- a/src/resolvers.c +++ b/src/resolvers.c @@ -1435,7 +1435,7 @@ static int resolv_validate_dns_response(unsigned char *resp, unsigned char *bufe if (len == 0) goto invalid_resp; - if (reader + offset + 10 >= bufend) + if (reader + offset + 10 > bufend) goto invalid_resp; reader += offset; @@ -1449,7 +1449,7 @@ static int resolv_validate_dns_response(unsigned char *resp, unsigned char *bufe len = reader[0] * 256 + reader[1]; reader += 2; - if (reader + len >= bufend) + if (reader + len > bufend) goto invalid_resp; reader += len;