Fix harmless two byte buffer write overflow in doh_encode #4352
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
The check for buffer length in
curl/lib/doh.c
Line 87 in 5977664
I reported a related bug in curl/doh at an early stage when investigating this, via private email to @bagder. After looking further into it, I filed on hackerone, and after discussions there it was concluded that
doh_encode() is an internal function, and the only exposure it gets is through
curl/lib/doh.c
Line 195 in 5977664
The only way to trigger this externally is to use doh and use a hostname of a particular length such that it is short enough not to be caught by the length check, but long enough to write outside the buffer.
If the overflow happens, it is luckily harmless, because the overwrite goes into the length member of
struct dnsprobe. That length member is overwritten by
curl/lib/doh.c
Line 134 in 5977664
This pull request adds a unit test which proves the bug and that it has been fixed.
To trigger the behaviour, the following curl command can be used (the lenght of the weird hostname is carefully selected and no part between the dots may be longer than 63):