From: W.C.A. Wijngaards Date: Wed, 16 Aug 2023 14:58:49 +0000 (+0200) Subject: - Fix out of bounds read in parse_edns_options_from_query, it would read X-Git-Tag: release-1.18.0rc1~14^2 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=refs%2Fpull%2F762%2Fhead;p=thirdparty%2Funbound.git - Fix out of bounds read in parse_edns_options_from_query, it would read 8 bytes after a client option of length 8, and then ignore them to recreate a 24 byte response. The fixup does not read out of bounds, and puts zeroes in the buffer at that point, that then are ignored. --- diff --git a/util/data/msgparse.c b/util/data/msgparse.c index 40189d613..b5414c6d0 100644 --- a/util/data/msgparse.c +++ b/util/data/msgparse.c @@ -1049,7 +1049,12 @@ parse_edns_options_from_query(uint8_t* rdata_ptr, size_t rdata_len, /* Copy client cookie, version and timestamp for * validation and creation purposes. */ - memmove(server_cookie, rdata_ptr, 16); + if(opt_len >= 16) { + memmove(server_cookie, rdata_ptr, 16); + } else { + memset(server_cookie, 0, 16); + memmove(server_cookie, rdata_ptr, opt_len); + } /* Copy client ip for validation and creation * purposes. It will be overwritten if (re)creation