From 25d6e65aaef5cb8ae369d7a1300a2386dd2b59f9 Mon Sep 17 00:00:00 2001
From: Christopher Faulet <cfaulet@haproxy.com>
Date: Wed, 4 Mar 2026 18:29:21 +0100
Subject: [PATCH] BUG/MAJOR: resolvers: Properly lowered the names found in DNS
 response

Names found in DNS responses are lowered to be compared. A name is composed
of several labels, strings precedeed by their length on one byte. For
instance:

 3www7haproxy3org

There is an bug when labels are lowered. The label length is not skipped and
tolower() function is called on it. So for label length in the range [65-90]
(uppercase char), 32 is added to the label length due to the conversion of a
uppercase char to lowercase. This bugs can lead to OOB read later in the
resolvers code.

The fix is quite obvious, the label length must be skipped when the label is
lowered.

Thank you to Kamil Frankowicz for having reported this.

This patch must be backported to all stable versions.
---
 src/resolvers.c | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/src/resolvers.c b/src/resolvers.c
index 5aa2a595f..f48a2bf9b 100644
--- a/src/resolvers.c
+++ b/src/resolvers.c
@@ -656,8 +656,9 @@ int resolv_read_name(unsigned char *buffer, unsigned char *bufend,
 
 		/* +1 to take label len + label string */
 		label_len++;
-
-		for (n = 0; n < label_len; n++) {
+		*dest = *reader; /* copy label len */
+		/* copy lowered label string */
+		for (n = 1; n < label_len; n++) {
 			dest[n] = tolower(reader[n]);
 		}