- Fix out of bounds read in parse_edns_options_from_query, it would read

8 bytes after a client option of length 8, and then ignore them to recreate a 24 byte response. The fixup does not read out of bounds, and puts zeroes in the buffer at that point, that then are ignored.
NLnetLabs · Aug 16, 2023 · 1c85901 · 1c85901
1 parent b1c707e
commit 1c85901
Showing 1 changed file with 6 additions and 1 deletion.
diff --git a/util/data/msgparse.c b/util/data/msgparse.c
@@ -1049,7 +1049,12 @@ parse_edns_options_from_query(uint8_t* rdata_ptr, size_t rdata_len,
 			/* Copy client cookie, version and timestamp for
 			 * validation and creation purposes.
 			 */
-			memmove(server_cookie, rdata_ptr, 16);
+			if(opt_len >= 16) {
+				memmove(server_cookie, rdata_ptr, 16);
+			} else {
+				memset(server_cookie, 0, 16);
+				memmove(server_cookie, rdata_ptr, opt_len);
+			}
 
 			/* Copy client ip for validation and creation
 			 * purposes. It will be overwritten if (re)creation