Fix buffer overrun in doq_repinfo_retrieve_localaddr()#1441
Merged
Conversation
wcawijngaards
approved these changes
Apr 23, 2026
Member
wcawijngaards
left a comment
wcawijngaards
left a comment
There was a problem hiding this comment.
This change looks like a good bugfix. I reviewed other use in Unbound, but those seem to be fine.
wcawijngaards
added a commit
that referenced
this pull request
Apr 23, 2026
- Merge #1441: Fix buffer overrun in doq_repinfo_retrieve_localaddr().
wcawijngaards
added a commit
that referenced
this pull request
Apr 23, 2026
Contributor
Author
|
(Whoops, sorry for the typo.) |
jedisct1
added a commit
to jedisct1/unbound
that referenced
this pull request
May 5, 2026
* nlnet/master: (94 commits) - iana portlist updated. - Fix windows 64bit build for libssp dependency. - tag for 1.25.0. The code repository continues with 1.25.1 in development. - For NLnetLabs#1441: Fix type of ipv6 addr struct. Changelog entry for NLnetLabs#1441. - Merge NLnetLabs#1441: Fix buffer overrun in doq_repinfo_retrieve_localaddr(). Fix buffer overrun in doq_repinfo_retrieve_localaddr() (NLnetLabs#1441) - Fix doxygen comment syntax. - Set version number to 1.25.0 of code repository. - Fix handling of wildcard CNAMEs in the chain of trust. An improper wildcard in the chain of trust would send the retries to the wrong upstream. Also it could label the step in the chain of trust as secure, when it was not. Thanks to Qifan Zhang, Palo Alto Networks for the report. - Fix that a DNAME with an unsigned CNAME is checked for the correct match. This stops that for certain zone configurations an unchecked unsigned CNAME could get secure status. Thanks to Qifan Zhang, Palo Alto Networks for the report. - Fix that signatures are not allowed with revoked dnskeys. Thanks to Qifan Zhang, Palo Alto Networks for the report. - Fix that upstream TLS connections are not reused as TLS connections for a different name, at the same IP. This checks that the tls name is correct when reusing the upstream connections. Thanks to TaoFei Guo from Peking University and JianJun Chen from Tsinghua University for the report. - Fix for missing bounds check for decompressing dnames for downloaded authority zones. This fixes that the server could end up with malformed zone content after receiving truncated packet contents from an AXFR. In addition, the domain names in the SOA rdata are checked before the authority code picks up the zone serial. Thanks to Halil Oktay for the report. - Fix for iterator RCODE handling of YXDOMAIN. This fixes that the server only accepts YXDOMAIN answers that contain a DNAME record. This stops bad answers, and checks that the authoritative server gives correct replies. Thanks to Qifan Zhang, Palo Alto Networks for the report. - Fix EDNS extended RCODE reflection. This fixes that the server does not echo extended rcode values after class chaos queries. Thanks to Qifan Zhang, Palo Alto Networks for the report. - Fix for the Jiggle Attack. The server is fixed to answer with errors for error cases, and does not stay silent. In addition, the error replies do not contain parts of the incoming query. This is more conformant, stops reflection and stops it as a covert channel. Thanks to Yuqi Qiu and Xiang Li, Nankai University (AOSP Lab) for the report. In addition, thanks to Qifan Zhang, Palo Alto Networks, for noting the fingerprinting possibility, that is also fixed with this. - Add test case for malformed SVCB records. Thanks to Qifan Zhang, Palo Alto Networks for the additional test. - Fix test with https zone for libressl. - Fix unused variable warning when compiled without ssl. - Fix compile warnings for thread setname routine, and test compile. ...
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
SAST finding.
struct in_addr{,6}andstruct sockaddr_in{,6}are different structures, with the latter including the former and generally being bigger. In case of the IPv6 path, thememmove()call could write paststruct doq_addr_storage, most likely overwriting theaddrlenfield ofstruct doq_pkt_addr.Not sure what the implications are of this error, but I would expect for
doq_lookup_repinfo()to fail to find anything for IPv6 replies. Tried to look for issues related to QUIC & IPv6 and found only #1258, maybe it's somehow related?