From: Joshua Rogers <MegaManSec@users.noreply.github.com>
Date: Mon, 8 Sep 2025 12:33:38 +0000 (+0000)
Subject: DNS: fix RRPack memcpy to copy rdata buffer, not the pointer (#2189)
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=d58e6492a952c0d21a921270ca03e7efa3f1f7d2;p=thirdparty%2Fsquid.git

DNS: fix RRPack memcpy to copy rdata buffer, not the pointer (#2189)

Fortunately, broken code had no effect because its only caller --
rfc2671RROptPack() that sends EDNS option -- always supplies zero-size
rdata.

Also clarified rfc1035QueryUnpack() implementation using sizeof().
---

diff --git a/src/dns/rfc1035.cc b/src/dns/rfc1035.cc
index 2900508806..53cfced6c6 100644
--- a/src/dns/rfc1035.cc
+++ b/src/dns/rfc1035.cc
@@ -354,7 +354,7 @@ rfc1035RRPack(char *buf, const size_t sz, const rfc1035_rr * RR)
     s = htons(RR->rdlength);
     memcpy(buf + off, &s, sizeof(s));
     off += sizeof(s);
-    memcpy(buf + off, &(RR->rdata), RR->rdlength);
+    memcpy(buf + off, RR->rdata, RR->rdlength);
     off += RR->rdlength;
     assert(off <= sz);
     return off;
@@ -511,7 +511,7 @@ rfc1035RRDestroy(rfc1035_rr ** rr, int n)
 static int
 rfc1035QueryUnpack(const char *buf, size_t sz, unsigned int *off, rfc1035_query * query)
 {
-    unsigned short s;
+    uint16_t s;
     if (rfc1035NameUnpack(buf, sz, off, nullptr, query->name, RFC1035_MAXHOSTNAMESZ, 0)) {
         RFC1035_UNPACK_DEBUG;
         memset(query, '\0', sizeof(*query));
@@ -522,11 +522,11 @@ rfc1035QueryUnpack(const char *buf, size_t sz, unsigned int *off, rfc1035_query
         memset(query, '\0', sizeof(*query));
         return 1;
     }
-    memcpy(&s, buf + *off, 2);
-    *off += 2;
+    memcpy(&s, buf + *off, sizeof(s));
+    *off += sizeof(s);
     query->qtype = ntohs(s);
-    memcpy(&s, buf + *off, 2);
-    *off += 2;
+    memcpy(&s, buf + *off, sizeof(s));
+    *off += sizeof(s);
     query->qclass = ntohs(s);
     return 0;
 }