Fix isc_buffer_init capacity mismatch in DoH data chunk callback

isc_buffer_init() is given MAX_DNS_MESSAGE_SIZE (65535) as capacity but
only h2->content_length bytes are allocated.  This makes the buffer
believe it has more space than actually allocated.  A secondary bounds
check (new_bufsize <= h2->content_length) prevents actual overflow, but
the buffer invariant is violated.

Pass h2->content_length as the capacity to match the allocation.

(cherry picked from commit 8e240bbb5ff563b1caaa13afdd1338079e2d751b)

diff --git a/lib/isc/netmgr/http.c b/lib/isc/netmgr/http.c
index 32d632bb181773d91e3fd83495807d8a898bdf5e..93ab90740699702193bf5ac61af225a6d30d016e 100644 (file)
--- a/lib/isc/netmgr/http.c
+++ b/lib/isc/netmgr/http.c
@@ -644,13 +644,11 @@ on_server_data_chunk_recv_callback(int32_t stream_id, const uint8_t *data,
                                        &h2->rbuf,
                                        isc_mem_allocate(mctx,
                                                         h2->content_length),
-                                       MAX_DNS_MESSAGE_SIZE);
+                                       h2->content_length);
                        }
                        size_t new_bufsize = isc_buffer_usedlength(&h2->rbuf) +
                                             len;
-                       if (new_bufsize <= MAX_DNS_MESSAGE_SIZE &&
-                           new_bufsize <= h2->content_length)
-                       {
+                       if (new_bufsize <= h2->content_length) {
                                session->processed_useful_data += len;
                                isc_buffer_putmem(&h2->rbuf, data, len);
                                break;