From: Miod Vallat <miod.vallat@powerdns.com>
Date: Thu, 21 May 2026 14:33:39 +0000 (+0200)
Subject: Enforce proxy protocol size limit earlier.
X-Git-Tag: auth-5.1.0~26^2
X-Git-Url: http://git.ipfire.org/gitweb/index.cgi?a=commitdiff_plain;h=fc3eb954fb634f5f32a09d77811fb9da24eaa0d2;p=thirdparty%2Fpdns.git

Enforce proxy protocol size limit earlier.

Signed-off-by: Miod Vallat <miod.vallat@powerdns.com>
---

diff --git a/pdns/tcpreceiver.cc b/pdns/tcpreceiver.cc
index 4b8604d2d6..d42bf4d227 100644
--- a/pdns/tcpreceiver.cc
+++ b/pdns/tcpreceiver.cc
@@ -275,14 +275,18 @@ void TCPNameserver::doConnection(int fd, Logr::log_t slog)
       for (;;) {
         used = isProxyHeaderComplete(proxyData);
         if (used < 0) {
-          ssize_t origsize = proxyData.size();
-          proxyData.resize(origsize + -used);
+          size_t origsize = proxyData.size();
+          auto extra = static_cast<size_t>(-used);
+          if (origsize + extra > g_proxyProtocolMaximumSize) {
+            throw NetworkError("Error reading PROXYv2 header from TCP client "+remote.toString()+": PROXYv2 header too big");
+          }
+          proxyData.resize(origsize + extra);
           if (maxConnectionDurationReached(d_maxConnectionDuration, start, remainingTime)) {
             throw NetworkError("Error reading PROXYv2 header from TCP client "+remote.toString()+": maximum TCP connection duration exceeded");
           }
 
           try {
-            readnWithTimeout(fd, &proxyData[origsize], -used, d_idleTimeout, true, remainingTime);
+            readnWithTimeout(fd, &proxyData[origsize], extra, d_idleTimeout, true, remainingTime);
           }
           catch(NetworkError& ae) {
             throw NetworkError("Error reading PROXYv2 header from TCP client "+remote.toString()+": "+ae.what());