From: Vsevolod Stakhov <vsevolod@rspamd.com>
Date: Wed, 29 Oct 2025 13:45:38 +0000 (+0000)
Subject: [Fix] Fix TCP DNS uninitialized memory leak
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=2345de9a97fbd8e1224a1e4435590738bb66938e;p=thirdparty%2Frspamd.git

[Fix] Fix TCP DNS uninitialized memory leak

When rescheduling a DNS request from UDP to TCP, the code was using
req->packet_len (allocated buffer size) instead of req->pos (actual
packet size) to copy and send the DNS packet. This caused random
garbage from uninitialized memory to be appended to TCP DNS queries.

The bug was particularly noticeable with short queries like TXT records,
where the allocated buffer could be 2-3x larger than the actual packet.
---

diff --git a/contrib/librdns/resolver.c b/contrib/librdns/resolver.c
index 29624ef2a9..117c85e15d 100644
--- a/contrib/librdns/resolver.c
+++ b/contrib/librdns/resolver.c
@@ -473,7 +473,7 @@ rdns_reschedule_req_over_tcp(struct rdns_request *req, struct rdns_server *serv)
 
 		struct rdns_tcp_output_chain *oc;
 
-		oc = calloc(1, sizeof(*oc) + req->packet_len);
+		oc = calloc(1, sizeof(*oc) + req->pos);
 
 		if (oc == NULL) {
 			rdns_err("failed to allocate output buffer for TCP ioc: %s",
@@ -482,8 +482,8 @@ rdns_reschedule_req_over_tcp(struct rdns_request *req, struct rdns_server *serv)
 		}
 
 		oc->write_buf = ((unsigned char *) oc) + sizeof(*oc);
-		memcpy(oc->write_buf, req->packet, req->packet_len);
-		oc->next_write_size = htons(req->packet_len);
+		memcpy(oc->write_buf, req->packet, req->pos);
+		oc->next_write_size = htons(req->pos);
 
 		DL_APPEND(ioc->tcp->output_chain, oc);