0006-dns-fix-nameserver-OOB-read-in-IPv6-disabled-fallbac.patch (1176B)
- From df97e1c57780588639d8f6aff7dd8f1db8b63c19 Mon Sep 17 00:00:00 2001
- From: Liam Wachter <liam@asymmetric.re>
- Date: Fri, 20 Mar 2026 12:19:40 -0400
- Subject: [PATCH] dns: fix nameserver OOB read in IPv6-disabled fallback
- In __res_msend_rc(), the IPv6-disabled fallback check uses conf->ns[nns]
- inside a loop controlled by i, so it tests a fixed slot instead of
- walking configured nameservers. This reads one past the array's size.
- Use conf->ns[i] so the loop correctly detects whether all configured
- nameservers are IPv6-only.
- ---
- src/network/res_msend.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
- diff --git a/src/network/res_msend.c b/src/network/res_msend.c
- index fcb52513..51d42ecb 100644
- --- a/src/network/res_msend.c
- +++ b/src/network/res_msend.c
- @@ -124,7 +124,7 @@ int __res_msend_rc(int nqueries, const unsigned char *const *queries,
- /* Handle case where system lacks IPv6 support */
- if (fd < 0 && family == AF_INET6 && errno == EAFNOSUPPORT) {
- - for (i=0; i<nns && conf->ns[nns].family == AF_INET6; i++);
- + for (i=0; i<nns && conf->ns[i].family == AF_INET6; i++);
- if (i==nns) {
- pthread_setcancelstate(cs, 0);
- return -1;
- --
- 2.49.0