- Fix CVE-2026-32792, Packet of death with DNSCrypt. Thanks to Andrew

  Griffiths from 'calif.io' for the report.

diff --git a/dnscrypt/dnscrypt.c b/dnscrypt/dnscrypt.c
index 4902447fda01526e390578594167ddaddcde723a..173484cdf0b10eb9a75e48df85c756b1494e4718 100644 (file)
--- a/dnscrypt/dnscrypt.c
+++ b/dnscrypt/dnscrypt.c
@@ -361,7 +361,7 @@ dnscrypt_server_uncurve(struct dnsc_env* env,
 
     len -= DNSCRYPT_QUERY_HEADER_SIZE;
 
-    while (*sldns_buffer_at(buffer, --len) == 0)
+    while (len>0 && *sldns_buffer_at(buffer, --len) == 0)
         ;
 
     if (*sldns_buffer_at(buffer, len) != 0x80) {

diff --git a/doc/Changelog b/doc/Changelog
index d8ef6ee822bf411ab85d2e39797daad8f61fc901..614e92ed68f455dda633333ca8527a3cce60b333 100644 (file)
--- a/doc/Changelog
+++ b/doc/Changelog
@@ -6,6 +6,8 @@
          Networks, for the report.
        - Fix CVE-2026-42959, Crash during DNSSEC validation of malicious
          content. Thanks to Qifan Zhang, Palo Alto Networks, for the report.
+       - Fix CVE-2026-32792, Packet of death with DNSCrypt. Thanks to Andrew
+         Griffiths from 'calif.io' for the report.
 
 23 April 2026: Wouter
        - Merge #1441: Fix buffer overrun in