[Fix] Fix TCP DNS uninitialized memory leak

When rescheduling a DNS request from UDP to TCP, the code was using
req->packet_len (allocated buffer size) instead of req->pos (actual
packet size) to copy and send the DNS packet. This caused random
garbage from uninitialized memory to be appended to TCP DNS queries.

The bug was particularly noticeable with short queries like TXT records,
where the allocated buffer could be 2-3x larger than the actual packet.

diff --git a/contrib/librdns/resolver.c b/contrib/librdns/resolver.c
index 29624ef2a9c3b52470295efebf6fae9674a9d5fb..117c85e15d379a585800374b40fe296ae878e922 100644 (file)
--- a/contrib/librdns/resolver.c
+++ b/contrib/librdns/resolver.c
@@ -473,7 +473,7 @@ rdns_reschedule_req_over_tcp(struct rdns_request *req, struct rdns_server *serv)
 
                struct rdns_tcp_output_chain *oc;
 
-               oc = calloc(1, sizeof(*oc) + req->packet_len);
+               oc = calloc(1, sizeof(*oc) + req->pos);
 
                if (oc == NULL) {
                        rdns_err("failed to allocate output buffer for TCP ioc: %s",
@@ -482,8 +482,8 @@ rdns_reschedule_req_over_tcp(struct rdns_request *req, struct rdns_server *serv)
                }
 
                oc->write_buf = ((unsigned char *) oc) + sizeof(*oc);
-               memcpy(oc->write_buf, req->packet, req->packet_len);
-               oc->next_write_size = htons(req->packet_len);
+               memcpy(oc->write_buf, req->packet, req->pos);
+               oc->next_write_size = htons(req->pos);
 
                DL_APPEND(ioc->tcp->output_chain, oc);