[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <CAOBnsYpNi_mNZkU=TPss7azhoOrcYgr045Tiud1ceDD6xo-ZuA@mail.gmail.com>
Date: Thu, 26 Feb 2026 08:51:09 +0100
From: Liam Wachter <liam@...mmetric.re>
To: musl@...ts.openwall.com
Subject: [PATCH] dns: fix nameserver OOB read in IPv6-disabled fallback
In __res_msend_rc(), the IPv6-disabled fallback check uses conf->ns[nns]
inside a loop controlled by i, so it tests a fixed slot instead of
walking configured nameservers. This reads one past the array's size.
Use conf->ns[i] so the loop correctly detects whether all configured
nameservers are IPv6-only.
---
src/network/res_msend.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/network/res_msend.c b/src/network/res_msend.c
index fcb52513..51d42ecb 100644
--- a/src/network/res_msend.c
+++ b/src/network/res_msend.c
@@ -124,7 +124,7 @@ int __res_msend_rc(int nqueries, const unsigned char
*const *queries,
/* Handle case where system lacks IPv6 support */
if (fd < 0 && family == AF_INET6 && errno == EAFNOSUPPORT) {
- for (i=0; i<nns && conf->ns[nns].family == AF_INET6; i++);
+ for (i=0; i<nns && conf->ns[i].family == AF_INET6; i++);
if (i==nns) {
pthread_setcancelstate(cs, 0);
return -1;
Content of type "text/html" skipped
Powered by blists - more mailing lists
Confused about mailing lists and their use?
Read about mailing lists on Wikipedia
and check out these
guidelines on proper formatting of your messages.
