Fix isc_buffer_init capacity mismatch in DoH data chunk callback

isc_buffer_init() is given MAX_DNS_MESSAGE_SIZE (65535) as capacity but
only h2->content_length bytes are allocated.  This makes the buffer
believe it has more space than actually allocated.  A secondary bounds
check (new_bufsize <= h2->content_length) prevents actual overflow, but
the buffer invariant is violated.

Pass h2->content_length as the capacity to match the allocation.

diff --git a/lib/isc/netmgr/http.c b/lib/isc/netmgr/http.c
index 645f256059972338fd03af817e85d24714e585fc..4d8fe48174c3d28e4c4aa5b2190e064f85579555 100644 (file)
--- a/lib/isc/netmgr/http.c
+++ b/lib/isc/netmgr/http.c
@@ -642,13 +642,11 @@ on_server_data_chunk_recv_callback(int32_t stream_id, const uint8_t *data,
                                        &h2->rbuf,
                                        isc_mem_allocate(mctx,
                                                         h2->content_length),
-                                       MAX_DNS_MESSAGE_SIZE);
+                                       h2->content_length);
                        }
                        size_t new_bufsize = isc_buffer_usedlength(&h2->rbuf) +
                                             len;
-                       if (new_bufsize <= MAX_DNS_MESSAGE_SIZE &&
-                           new_bufsize <= h2->content_length)
-                       {
+                       if (new_bufsize <= h2->content_length) {
                                session->processed_useful_data += len;
                                isc_buffer_putmem(&h2->rbuf, data, len);
                                break;