From: Ondřej Surý <ondrej@isc.org>
Date: Wed, 11 Mar 2026 12:17:45 +0000 (+0100)
Subject: Fix isc_buffer_init capacity mismatch in DoH data chunk callback
X-Git-Tag: v9.21.21~30^2
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=8e240bbb5ff563b1caaa13afdd1338079e2d751b;p=thirdparty%2Fbind9.git

Fix isc_buffer_init capacity mismatch in DoH data chunk callback

isc_buffer_init() is given MAX_DNS_MESSAGE_SIZE (65535) as capacity but
only h2->content_length bytes are allocated.  This makes the buffer
believe it has more space than actually allocated.  A secondary bounds
check (new_bufsize <= h2->content_length) prevents actual overflow, but
the buffer invariant is violated.

Pass h2->content_length as the capacity to match the allocation.
---

diff --git a/lib/isc/netmgr/http.c b/lib/isc/netmgr/http.c
index 645f2560599..4d8fe48174c 100644
--- a/lib/isc/netmgr/http.c
+++ b/lib/isc/netmgr/http.c
@@ -642,13 +642,11 @@ on_server_data_chunk_recv_callback(int32_t stream_id, const uint8_t *data,
 					&h2->rbuf,
 					isc_mem_allocate(mctx,
 							 h2->content_length),
-					MAX_DNS_MESSAGE_SIZE);
+					h2->content_length);
 			}
 			size_t new_bufsize = isc_buffer_usedlength(&h2->rbuf) +
 					     len;
-			if (new_bufsize <= MAX_DNS_MESSAGE_SIZE &&
-			    new_bufsize <= h2->content_length)
-			{
+			if (new_bufsize <= h2->content_length) {
 				session->processed_useful_data += len;
 				isc_buffer_putmem(&h2->rbuf, data, len);
 				break;