upstream/haproxy
1
0
Fork 0
mirror of https://github.com/haproxy/haproxy.git synced 2026-05-26 11:20:51 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions 15

BUG/MINOR: resolvers: relax size checks in authority record parsing

Browse source 
Both boundary checks in the authority record parsing loop of
resolv_validate_dns_response() use >= bufend where they should use
> bufend, causing valid DNS responses with exactly enough bytes to be
rejected as invalid.

The first one, "reader + offset + 10 >= bufend" is too strict since it
prevents 10-byte responses from being accepted as valid while they
are. The second one, "reader + len >= bufend" has the same issue, when
exactly len bytes remain, the check rejects it even though dns_max_name()
already validated it. It may be backported though it is unlikely to ever
be noticed.
This commit is contained in:
Willy Tarreau 2026-05-22 06:47:39 +00:00
parent 73472025f2
commit 4f58fef3d4
1 changed files with 2 additions and 2 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

4
src/resolvers.c
View file

@ -1435,7 +1435,7 @@ static int resolv_validate_dns_response(unsigned char *resp, unsigned char *bufe
if (len == 0)
goto invalid_resp;
if (reader + offset + 10 >= bufend)
if (reader + offset + 10 > bufend)
goto invalid_resp;
reader += offset;
@ -1449,7 +1449,7 @@ static int resolv_validate_dns_response(unsigned char *resp, unsigned char *bufe
len = reader[0] * 256 + reader[1];
reader += 2;
if (reader + len >= bufend)
if (reader + len > bufend)
goto invalid_resp;
reader += len;