]> git.ipfire.org Git - thirdparty/haproxy.git/commitdiff
projects / thirdparty / haproxy.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 96286b2)
BUG/MAJOR: resolvers: Properly lowered the names found in DNS response
authorChristopher Faulet <cfaulet@haproxy.com>
Wed, 4 Mar 2026 17:29:21 +0000 (18:29 +0100)
committerChristopher Faulet <cfaulet@haproxy.com>
Thu, 5 Mar 2026 14:35:31 +0000 (15:35 +0100)
Names found in DNS responses are lowered to be compared. A name is composed
of several labels, strings precedeed by their length on one byte. For
instance:

 3www7haproxy3org

There is an bug when labels are lowered. The label length is not skipped and
tolower() function is called on it. So for label length in the range [65-90]
(uppercase char), 32 is added to the label length due to the conversion of a
uppercase char to lowercase. This bugs can lead to OOB read later in the
resolvers code.

The fix is quite obvious, the label length must be skipped when the label is
lowered.

Thank you to Kamil Frankowicz for having reported this.

This patch must be backported to all stable versions.

src/resolvers.c patch | blob | blame | history

diff --git a/src/resolvers.c b/src/resolvers.c
index 5aa2a595f37f899c650673b0dd8a508bcc4ed983..f48a2bf9bfdabdd255094ba6ed7a1a238f22d644 100644 (file)
--- a/src/resolvers.c
+++ b/src/resolvers.c
@@ -656,8 +656,9 @@ int resolv_read_name(unsigned char *buffer, unsigned char *bufend,
 
                /* +1 to take label len + label string */
                label_len++;
-
-               for (n = 0; n < label_len; n++) {
+               *dest = *reader; /* copy label len */
+               /* copy lowered label string */
+               for (n = 1; n < label_len; n++) {
                        dest[n] = tolower(reader[n]);
                }
 
Mirror of https://github.com/haproxy/haproxy.git