BUG/MAJOR: resolvers: Properly lowered the names found in DNS response

Names found in DNS responses are lowered to be compared. A name is composed of several labels, strings precedeed by their length on one byte. For instance: 3www7haproxy3org There is an bug when labels are lowered. The label length is not skipped and tolower() function is called on it. So for label length in the range [65-90] (uppercase char), 32 is added to the label length due to the conversion of a uppercase char to lowercase. This bugs can lead to OOB read later in the resolvers code. The fix is quite obvious, the label length must be skipped when the label is lowered. Thank you to Kamil Frankowicz for having reported this. This patch must be backported to all stable versions.
2026-03-14 19:41:33 +01:00 · 2026-03-04 18:29:21 +01:00 · 2026-03-04 18:29:21 +01:00 · 25d6e65aae
commit 25d6e65aae
parent 96286b2a84
1 changed files with 3 additions and 2 deletions
--- a/src/resolvers.c
+++ b/src/resolvers.c
@ -656,8 +656,9 @@ int resolv_read_name(unsigned char *buffer, unsigned char *bufend,

 		/* +1 to take label len + label string */
 		label_len++;
-
-		for (n = 0; n < label_len; n++) {
+		*dest = *reader; /* copy label len */
+		/* copy lowered label string */
+		for (n = 1; n < label_len; n++) {
 			dest[n] = tolower(reader[n]);
 		}