Fix harmless two byte buffer write overflow in doh_encode #4352
The check for buffer length in
I reported a related bug in curl/doh at an early stage when investigating this, via private email to @bagder. After looking further into it, I filed on hackerone, and after discussions there it was concluded that
doh_encode() is an internal function, and the only exposure it gets is through
The only way to trigger this externally is to use doh and use a hostname of a particular length such that it is short enough not to be caught by the length check, but long enough to write outside the buffer.
If the overflow happens, it is luckily harmless, because the overwrite goes into the length member of
This pull request adds a unit test which proves the bug and that it has been fixed.
To trigger the behaviour, the following curl command can be used (the lenght of the weird hostname is carefully selected and no part between the dots may be longer than 63):