From 1c85901cc4c0f7693183f4b280604619e56cba00 Mon Sep 17 00:00:00 2001 From: "W.C.A. Wijngaards" Date: Wed, 16 Aug 2023 16:58:49 +0200 Subject: [PATCH] - Fix out of bounds read in parse_edns_options_from_query, it would read 8 bytes after a client option of length 8, and then ignore them to recreate a 24 byte response. The fixup does not read out of bounds, and puts zeroes in the buffer at that point, that then are ignored. --- util/data/msgparse.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/util/data/msgparse.c b/util/data/msgparse.c index 40189d613..b5414c6d0 100644 --- a/util/data/msgparse.c +++ b/util/data/msgparse.c @@ -1049,7 +1049,12 @@ parse_edns_options_from_query(uint8_t* rdata_ptr, size_t rdata_len, /* Copy client cookie, version and timestamp for * validation and creation purposes. */ - memmove(server_cookie, rdata_ptr, 16); + if(opt_len >= 16) { + memmove(server_cookie, rdata_ptr, 16); + } else { + memset(server_cookie, 0, 16); + memmove(server_cookie, rdata_ptr, opt_len); + } /* Copy client ip for validation and creation * purposes. It will be overwritten if (re)creation -- 2.39.5