- Fix out of bounds read in parse_edns_options_from_query, it would read

  8 bytes after a client option of length 8, and then ignore them to
  recreate a 24 byte response. The fixup does not read out of bounds,
  and puts zeroes in the buffer at that point, that then are ignored.

diff --git a/util/data/msgparse.c b/util/data/msgparse.c
index 40189d6136b77f093869bbb8096b81ab39906f44..b5414c6d0a55475c0502dd9411427d8b663ac374 100644 (file)
--- a/util/data/msgparse.c
+++ b/util/data/msgparse.c
@@ -1049,7 +1049,12 @@ parse_edns_options_from_query(uint8_t* rdata_ptr, size_t rdata_len,
                        /* Copy client cookie, version and timestamp for
                         * validation and creation purposes.
                         */
-                       memmove(server_cookie, rdata_ptr, 16);
+                       if(opt_len >= 16) {
+                               memmove(server_cookie, rdata_ptr, 16);
+                       } else {
+                               memset(server_cookie, 0, 16);
+                               memmove(server_cookie, rdata_ptr, opt_len);
+                       }
 
                        /* Copy client ip for validation and creation
                         * purposes. It will be overwritten if (re)creation