Skip to content

Fix buffer overrun in doq_repinfo_retrieve_localaddr()#1441

Merged
wcawijngaards merged 1 commit into
NLnetLabs:masterfrom
Fothsid:doq-addr-overrun
Apr 23, 2026
Merged

Fix buffer overrun in doq_repinfo_retrieve_localaddr()#1441
wcawijngaards merged 1 commit into
NLnetLabs:masterfrom
Fothsid:doq-addr-overrun

Conversation

@Fothsid
Copy link
Copy Markdown
Contributor

@Fothsid Fothsid commented Apr 22, 2026

SAST finding.

struct in_addr{,6} and struct sockaddr_in{,6} are different structures, with the latter including the former and generally being bigger. In case of the IPv6 path, the memmove() call could write past struct doq_addr_storage, most likely overwriting the addrlen field of struct doq_pkt_addr.

Not sure what the implications are of this error, but I would expect for doq_lookup_repinfo() to fail to find anything for IPv6 replies. Tried to look for issues related to QUIC & IPv6 and found only #1258, maybe it's somehow related?

wcawijngaards
wcawijngaards approved these changes Apr 23, 2026
View reviewed changes
Copy link
Copy Markdown
Member

@wcawijngaards wcawijngaards left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This change looks like a good bugfix. I reviewed other use in Unbound, but those seem to be fine.

@wcawijngaards wcawijngaards merged commit e49b550 into NLnetLabs:master Apr 23, 2026
1 check passed
wcawijngaards added a commit that referenced this pull request Apr 23, 2026
@wcawijngaards
Changelog entry for #1441.
df0e86d 
- Merge #1441: Fix buffer overrun in
  doq_repinfo_retrieve_localaddr().
wcawijngaards added a commit that referenced this pull request Apr 23, 2026
@wcawijngaards
- For #1441: Fix type of ipv6 addr struct.
25fe602
@Fothsid
Copy link
Copy Markdown
Contributor Author

Fothsid commented Apr 23, 2026

(Whoops, sorry for the typo.)

jedisct1 added a commit to jedisct1/unbound that referenced this pull request May 5, 2026
@jedisct1
Merge remote-tracking branch 'nlnet/master'
c201f85 
* nlnet/master: (94 commits)
  - iana portlist updated.
  - Fix windows 64bit build for libssp dependency.
  - tag for 1.25.0. The code repository continues with 1.25.1 in   development.
  - For NLnetLabs#1441: Fix type of ipv6 addr struct.
  Changelog entry for NLnetLabs#1441. - Merge NLnetLabs#1441: Fix buffer overrun in   doq_repinfo_retrieve_localaddr().
  Fix buffer overrun in doq_repinfo_retrieve_localaddr() (NLnetLabs#1441)
  - Fix doxygen comment syntax.
  - Set version number to 1.25.0 of code repository.
  - Fix handling of wildcard CNAMEs in the chain of trust.   An improper wildcard in the chain of trust would send   the retries to the wrong upstream. Also it could label   the step in the chain of trust as secure, when it was not.   Thanks to Qifan Zhang, Palo Alto Networks for the report.
  - Fix that a DNAME with an unsigned CNAME is checked for   the correct match. This stops that for certain zone   configurations an unchecked unsigned CNAME could get   secure status. Thanks to Qifan Zhang, Palo Alto Networks   for the report.
  - Fix that signatures are not allowed with revoked dnskeys.   Thanks to Qifan Zhang, Palo Alto Networks for the report.
  - Fix that upstream TLS connections are not reused as TLS   connections for a different name, at the same IP. This   checks that the tls name is correct when reusing the   upstream connections. Thanks to TaoFei Guo from Peking   University and JianJun Chen from Tsinghua University for   the report.
  - Fix for missing bounds check for decompressing dnames   for downloaded authority zones. This fixes that the server   could end up with malformed zone content after receiving   truncated packet contents from an AXFR. In addition, the   domain names in the SOA rdata are checked before the   authority code picks up the zone serial.   Thanks to Halil Oktay for the report.
  - Fix for iterator RCODE handling of YXDOMAIN. This fixes   that the server only accepts YXDOMAIN answers that contain   a DNAME record. This stops bad answers, and checks that   the authoritative server gives correct replies.   Thanks to Qifan Zhang, Palo Alto Networks for the report.
  - Fix EDNS extended RCODE reflection. This fixes that   the server does not echo extended rcode values after class   chaos queries. Thanks to Qifan Zhang, Palo Alto Networks   for the report.
  - Fix for the Jiggle Attack. The server is fixed to answer   with errors for error cases, and does not stay silent.   In addition, the error replies do not contain parts of the   incoming query. This is more conformant, stops reflection   and stops it as a covert channel. Thanks to Yuqi Qiu and   Xiang Li, Nankai University (AOSP Lab) for the report.   In addition, thanks to Qifan Zhang, Palo Alto Networks, for   noting the fingerprinting possibility, that is also fixed   with this.
  - Add test case for malformed SVCB records. Thanks to   Qifan Zhang, Palo Alto Networks for the additional test.
  - Fix test with https zone for libressl.
  - Fix unused variable warning when compiled without ssl.
  - Fix compile warnings for thread setname routine, and test compile.
  ...
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@wcawijngaards wcawijngaards wcawijngaards approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@Fothsid @wcawijngaards