From: Colin Vidal <colin@isc.org>
Date: Fri, 5 Jun 2026 09:58:02 +0000 (+0200)
Subject: Fix delegdb dump buffer overflow
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=ebd4e26f46db01abf5dbc985f4e14438269959d7;p=thirdparty%2Fbind9.git

Fix delegdb dump buffer overflow

A buffer used to dump a DNS name in the delegdb dump flow was using the
wrong size: it was using `DNS_NAME_MAXWIRE` which is the actual max
length of a DNS name on the wire instead of using `DNS_NAME_FORMATSIZE`
which is the maximum length of a textual representation of a DNS name
(which can be way longer than `DNS_NAME_MAXWIRE` if using the master
file escape sequence format) plus 1 (end of string byte). This could
lead to a buffer overflow. This is now fixed.
---

diff --git a/lib/dns/deleg.c b/lib/dns/deleg.c
index 249e7c5502b..c1c91ebce00 100644
--- a/lib/dns/deleg.c
+++ b/lib/dns/deleg.c
@@ -687,7 +687,7 @@ tostring_namelist(dns_namelist_t *namelist, const char *id, FILE *fp) {
 		fprintf(fp, " %s=", id);
 		ISC_LIST_FOREACH(*namelist, name, link) {
 			isc_buffer_t nameb;
-			char bdata[DNS_NAME_MAXWIRE] = { 0 };
+			char bdata[DNS_NAME_FORMATSIZE] = { 0 };
 
 			isc_buffer_init(&nameb, bdata, sizeof(bdata));
 			dns_name_totext(name, 0, &nameb);
@@ -763,7 +763,7 @@ delegset_tostring(const dns_name_t *zonecut, dns_delegset_t *delegset,
 		  isc_stdtime_t now, bool expired, FILE *fp) {
 	ISC_LIST_FOREACH(delegset->delegs, deleg, link) {
 		isc_buffer_t zonecutb;
-		char bdata[DNS_NAME_MAXWIRE];
+		char bdata[DNS_NAME_FORMATSIZE];
 		dns_ttl_t ttl = 0;
 
 		if (delegset->expires > now) {