isc_buffer_init() is given MAX_DNS_MESSAGE_SIZE (65535) as capacity but
only h2->content_length bytes are allocated. This makes the buffer
believe it has more space than actually allocated. A secondary bounds
check (new_bufsize <= h2->content_length) prevents actual overflow, but
the buffer invariant is violated.
Pass h2->content_length as the capacity to match the allocation.
Merge branch 'ondrej/fix-isc_buffer_init-capacity-mismatch-in-DoH' into 'main'
See merge request isc-projects/bind9!11662
projects / thirdparty / bind9.git / commitdiff
