mirror of
https://git.haproxy.org/git/haproxy.git/
synced 2025-11-21 19:01:00 +01:00
00488ddef5
The maximum number of bytes in a DNS name is indeed 255, but we need to allocate one more byte for the NULL-terminating byte. Otherwise dns_read_name() might return 255 for a very long name, causing dns_validate_dns_response() to write a NULL value one byte after the end of the buffer: dns_answer_record->name[len] = 0; The next fields in the struct being filled from the content of the query, it might have been possible to fill them with non-0 values, causing for example a strlen() of the name to read past the end of the struct and access unintended parts of the memory, possibly leading to a crash. To be backported to 1.8, probably also 1.7.