diff options
author | Daniel Stenberg <daniel@haxx.se> | 2019-09-13 11:00:58 +0200 |
---|---|---|
committer | Daniel Stenberg <daniel@haxx.se> | 2019-09-13 11:00:58 +0200 |
commit | 15312171b540d6b65edf5e83ad4cfcd3da4ec4e9 (patch) | |
tree | ceb1293dcfa87eaca06d950547913774207aa8d7 | |
parent | 1ca91bcdb588dc6c25d345f2411fdba314433732 (diff) | |
download | curl-bagder/doh-encode-size.tar.gz |
doh: fix off-by-one error in size check for doh_encode()bagder/doh-encode-size
When building the outgoing DNS packet, we typically need one byte more
than the length of the host name since each "label" needs a single byte
length. "a.b" needs four bytes.
This would previously lead to a single byte overwrite of the given input
host name was exactly 240 bytes, but the overwritten data is the length
variable that gets updated immediately afterwards, making the net result
that it only made a broken DNS packet.
Inspired-by: Paul Dreik
-rw-r--r-- | lib/doh.c | 2 |
1 files changed, 1 insertions, 1 deletions
@@ -84,7 +84,7 @@ UNITTEST DOHcode doh_encode(const char *host, unsigned char *orig = dnsp; const char *hostp = host; - if(len < (12 + hostlen + 4)) + if(len <= (12 + hostlen + 4)) return DOH_TOO_SMALL_BUFFER; *dnsp++ = 0; /* 16 bit id */ |