From a57e735cc3d4e8a35024476776d766eaa0fa7512 Mon Sep 17 00:00:00 2001 From: Willy Tarreau Date: Sat, 23 May 2026 18:55:22 +0200 Subject: [PATCH] BUG/MINOR: resolvers: fix risk of appending garbage past the domain name The previous fix 75f72c2eb ("BUG/MEDIUM: resolvers: Fix test on dn label size in resolv_dn_label_to_str()") may still leave garbage from the input buffer into the response: if a component length is passed as zero, it should mark the end, but instead a dot will be emitted, and whatever follows it in the input buffer would continue to be appended as extra components. While having no direct consequences beyond the domain not being properly decoded, it could at least complicate troubleshooting. This should be backported where the fix above is backported. --- src/resolvers.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/src/resolvers.c b/src/resolvers.c index 92698209c..1bcbdb857 100644 --- a/src/resolvers.c +++ b/src/resolvers.c @@ -1854,6 +1854,9 @@ int resolv_dn_label_to_str(const char *dn, int dn_len, char *str, int str_len) for (i = 0; i < dn_len; ++i) { sz = (unsigned char)dn[i]; + if (!sz) + break; + /* Check str_len adding 1 for the dot if (i!=0) and 1 for null terminator */ if (str_len < sz+i+(!!i)+1) return -1;