From: Willy Tarreau Date: Sat, 23 May 2026 16:55:22 +0000 (+0200) Subject: BUG/MINOR: resolvers: fix risk of appending garbage past the domain name X-Git-Tag: v3.4-dev14~52 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=49d6306de311cd05cba21fad580c69e01b694e66;p=thirdparty%2Fhaproxy.git BUG/MINOR: resolvers: fix risk of appending garbage past the domain name The previous fix 75f72c2eb ("BUG/MEDIUM: resolvers: Fix test on dn label size in resolv_dn_label_to_str()") may still leave garbage from the input buffer into the response: if a component length is passed as zero, it should mark the end, but instead a dot will be emitted, and whatever follows it in the input buffer would continue to be appended as extra components. While having no direct consequences beyond the domain not being properly decoded, it could at least complicate troubleshooting. This should be backported where the fix above is backported. --- diff --git a/src/resolvers.c b/src/resolvers.c index 5308eaeb7..7bf245dbc 100644 --- a/src/resolvers.c +++ b/src/resolvers.c @@ -1857,6 +1857,9 @@ int resolv_dn_label_to_str(const char *dn, int dn_len, char *str, int str_len) for (i = 0; i < dn_len; ++i) { sz = (unsigned char)dn[i]; + if (!sz) + break; + /* Check str_len adding 1 for the dot if (i!=0) and 1 for null terminator */ if (str_len < sz+i+(!!i)+1) return -1;