From 75f72c2eb9185fb99f8dd322734b8ddae8dc2d56 Mon Sep 17 00:00:00 2001 From: Christopher Faulet Date: Fri, 22 May 2026 11:13:30 +0200 Subject: [PATCH] BUG/MEDIUM: resolvers: Fix test on dn label size in resolv_dn_label_to_str() In resolv_dn_label_to_str(), size for a dn label was stored into an integer from a signed char without a cast to unsigned. So dn label with a size of 128 bytes or more become negative, skipping this way the copy loop and desynchronizing input vs output. In addition, the size of the destination string was only checked at the begining, against the dn string length. But it must also be checked for every dn label, to be sure. The dn string can be forged to copied more bytes than expected. This patch must be backported to all stable versions. --- src/resolvers.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/src/resolvers.c b/src/resolvers.c index 07c25b2c8..ee49fb8f9 100644 --- a/src/resolvers.c +++ b/src/resolvers.c @@ -1855,7 +1855,12 @@ int resolv_dn_label_to_str(const char *dn, int dn_len, char *str, int str_len) ptr = str; for (i = 0; i < dn_len; ++i) { - sz = dn[i]; + sz = (unsigned char)dn[i]; + + /* Check str_len adding 1 for the dot if (i!=0) */ + if (str_len < sz+i+(!!i)) + return -1; + if (i) *ptr++ = '.'; /* copy the string at i+1 to lower case */