From 15312171b540d6b65edf5e83ad4cfcd3da4ec4e9 Mon Sep 17 00:00:00 2001
From: Daniel Stenberg <daniel@haxx.se>
Date: Fri, 13 Sep 2019 11:00:58 +0200
Subject: doh: fix off-by-one error in size check for doh_encode()

When building the outgoing DNS packet, we typically need one byte more
than the length of the host name since each "label" needs a single byte
length. "a.b" needs four bytes.

This would previously lead to a single byte overwrite of the given input
host name was exactly 240 bytes, but the overwritten data is the length
variable that gets updated immediately afterwards, making the net result
that it only made a broken DNS packet.

Inspired-by: Paul Dreik
---
 lib/doh.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/lib/doh.c b/lib/doh.c
index 6d1f3303b..80cd9ac26 100644
--- a/lib/doh.c
+++ b/lib/doh.c
@@ -84,7 +84,7 @@ UNITTEST DOHcode doh_encode(const char *host,
   unsigned char *orig = dnsp;
   const char *hostp = host;
 
-  if(len < (12 + hostlen + 4))
+  if(len <= (12 + hostlen + 4))
     return DOH_TOO_SMALL_BUFFER;
 
   *dnsp++ = 0; /* 16 bit id */
-- 
cgit v1.2.1