From fa49c50ac359bc3ac7c76e86e0be0fe9a0cb6b7c Mon Sep 17 00:00:00 2001
From: Viktor Szakats <commit@vsz.me>
Date: Mon, 27 Oct 2025 19:23:37 +0100
Subject: [PATCH] tests/server/dnsd: fix potential buffer overflow

When handling incoming DNS packets.

Reported-by: Joshua Rogers

Closes #19261
---
 tests/server/dnsd.c | 10 ++++++++--
 1 file changed, 8 insertions(+), 2 deletions(-)

diff --git a/tests/server/dnsd.c b/tests/server/dnsd.c
index 3f8f5b37a7..93edcb2397 100644
--- a/tests/server/dnsd.c
+++ b/tests/server/dnsd.c
@@ -83,7 +83,7 @@ static const char *type2string(unsigned short qtype)
  * Return query (qname + type + class), type and id.
  */
 static int store_incoming(const unsigned char *data, size_t size,
-                          unsigned char *qbuf, size_t *qlen,
+                          unsigned char *qbuf, size_t qbuflen, size_t *qlen,
                           unsigned short *qtype, unsigned short *idp)
 {
   FILE *server;
@@ -159,6 +159,12 @@ static int store_incoming(const unsigned char *data, size_t size,
     (void) get16bit(&data, &size);
 
     *qlen = qsize - size; /* total size of the query */
+    if(*qlen > qbuflen) {
+      logmsg("dnsd: query too large: %lu > %lu",
+             (unsigned long)*qlen, (unsigned long)qbuflen);
+      fclose(server);
+      return -1;
+    }
     memcpy(qbuf, qptr, *qlen);
   }
   else
@@ -616,7 +622,7 @@ static int test_dnsd(int argc, char **argv)
        per test case */
     read_instructions();
 
-    store_incoming(inbuffer, n, qbuf, &qlen, &qtype, &id);
+    store_incoming(inbuffer, n, qbuf, sizeof(qbuf), &qlen, &qtype, &id);
 
     set_advisor_read_lock(loglockfile);
     serverlogslocked = 1;
-- 
2.47.3