From: Willy Tarreau Date: Sat, 23 May 2026 16:53:27 +0000 (+0200) Subject: BUG/MINOR: resolvers: fix room for trailing zero in resolv_dn_label_to_str() X-Git-Tag: v3.4-dev14~53 X-Git-Url: http://git.ipfire.org/gitweb/index.cgi?a=commitdiff_plain;h=01ebb668a4622d17b7a92bb4c836441e3edd0d42;p=thirdparty%2Fhaproxy.git BUG/MINOR: resolvers: fix room for trailing zero in resolv_dn_label_to_str() The previous fix 75f72c2eb ("BUG/MEDIUM: resolvers: Fix test on dn label size in resolv_dn_label_to_str()") can still be fooled by an input exactly the size of str_len, in which case the trailing zero appended at the end was not being accounted for. Let's add 1 to the condition to prepare for it. This needs to be backported wherever the fix above is backported. --- diff --git a/src/resolvers.c b/src/resolvers.c index ee49fb8f9..5308eaeb7 100644 --- a/src/resolvers.c +++ b/src/resolvers.c @@ -1857,8 +1857,8 @@ int resolv_dn_label_to_str(const char *dn, int dn_len, char *str, int str_len) for (i = 0; i < dn_len; ++i) { sz = (unsigned char)dn[i]; - /* Check str_len adding 1 for the dot if (i!=0) */ - if (str_len < sz+i+(!!i)) + /* Check str_len adding 1 for the dot if (i!=0) and 1 for null terminator */ + if (str_len < sz+i+(!!i)+1) return -1; if (i)