From 07fcc62be9064006c53106800d874ff98f23cd79 Mon Sep 17 00:00:00 2001
From: Alan Carvalho de Assis <acassis@gmail.com>
Date: Sun, 3 May 2026 11:01:32 -0300
Subject: [PATCH] libs/netdb: Fix dns_recv_response() to dns_answer_s size

This commit avoid that dns_recv_response() accepts fewer tha 10 bytes
that could end up with an OOB read.

Signed-off-by: Alan C. Assis <acassis@gmail.com>
---
 libs/libc/netdb/lib_dnsquery.c | 13 +++++++++++++
 1 file changed, 13 insertions(+)

diff --git a/libs/libc/netdb/lib_dnsquery.c b/libs/libc/netdb/lib_dnsquery.c
index 57bf6575fc717..51740ce58d4c7 100644
--- a/libs/libc/netdb/lib_dnsquery.c
+++ b/libs/libc/netdb/lib_dnsquery.c
@@ -694,6 +694,19 @@ static int dns_recv_response(int sd, FAR union dns_addr_u *addr, int naddr,
           break;
         }
 
+      /* Verify that a complete answer header (10 bytes: type, class,
+       * ttl[2], len) is available before casting to dns_answer_s.
+       * Without this check, accessing ans->ttl and ans->type/class/len
+       * would be an OOB read if fewer than 10 bytes remain.
+       */
+
+      if (nameptr + sizeof(struct dns_answer_s) > endofbuffer)
+        {
+          ret = -EILSEQ;
+          nwarn("DNS answer header truncated\n");
+          break;
+        }
+
       ans = (FAR struct dns_answer_s *)nameptr;
 
       ninfo("Answer: type=%04x, class=%04x, ttl=%06x, length=%04x\n",