Pull request #5121: dns: add fix heap-buffer-overflow in DNS NSEC resource record...

Merge in SNORT/snort3 from ~SHIBOSE/snort3:nsec_parsing to master

Squashed commit of the following:

commit 8ed1d4cbaac34970a379cf7c3e4c90695167ea8e
Author: shibose <shibose@cisco.com>
Date:   Wed Jan 28 13:59:03 2026 +0530

    dns: fix heap-buffer-overflow in DNS NSEC resource record decoder

diff --git a/src/service_inspectors/dns/dns_rr_decoder.cc b/src/service_inspectors/dns/dns_rr_decoder.cc
index 427b80341a89d1f4ad0b60ddb54c7bb620bca52e..f9e9b01d7593d47a2c41bfbbf526e50e60c55bf5 100644 (file)
--- a/src/service_inspectors/dns/dns_rr_decoder.cc
+++ b/src/service_inspectors/dns/dns_rr_decoder.cc
@@ -303,6 +303,9 @@ static void decode_nsec(const uint8_t* rdata, uint16_t rdlength, std::string& rd
     static const std::string nsec_prefix = "NSEC" + part_sep;
     static const unsigned RDATA_OFFSET = 10;
     const uint8_t* rr_domain_name_end = rdata - RDATA_OFFSET;
+    if (rr_domain_name == nullptr or rr_domain_name > rr_domain_name_end)
+       return;
+
     uint16_t rr_domain_name_len = rr_domain_name_end - rr_domain_name;
 
     rdata_str.append(nsec_prefix);