[Dnsmasq-discuss] possible overflow while constructing SRV record name

Mikhail Dmitrichenko m.dmitrichenko222 at gmail.com
Fri Jul 11 12:31:32 UTC 2025 

Hello!

First of all, I want to clarify that I'm new to dnsmasq, so please excuse
me if my message seems silly.

My question is about constructing srv record name in function
src/option.c/read_opts, v2.91. Specifically, this part:

  if (daemon->domain_suffix)
    {
       /* add domain for any srv record without one. */
      struct mx_srv_record *srv;

      for (srv = daemon->mxnames; srv; srv = srv->next)
    if (srv->issrv &&
      strchr(srv->name, '.') &&
      strchr(srv->name, '.') == strrchr(srv->name, '.'))
     {
      strcpy(buff, srv->name);
      strcat(buff, ".");
      strcat(buff, daemon->domain_suffix);
      free(srv->name);
      srv->name = opt_string_alloc(buff);
     }
    }

Here, `buff` is a buffer of length ((MAXDNAME * 2) + 1) bytes. If I
understand it correctly, after lines:

   strcpy(buff, srv->name);
   strcat(buff, ".");

maximum len of `buff` will be (MAXDNAME + 1) bytes. My concern is about
next line:

   strcat(buff, daemon->domain_suffix);

As I see it, there is a possible scenario, where domain name in
`resolv.conf` contains non-ASCII symbols. If IDN library is present, this
name will be encoded and set as `daemon->domain_suffix` value. I noticed
that in function src/util.c/canonicalise, there is a call to `check_name`,
which checks len of given non-encoded input string. If it exceeds
`MAXDNAME`, NULL will be returned, so `daemon->domain_suffix` will be NULL.

But what if encoded string exceeds `MAXDNAME`? I haven't found any check
for that. If this happens, it could cause overflow in the line

   strcat(buff, daemon->domain_suffix);

because `buff` may already contain (`MAXDNAME` + 1) bytes, leaving only
`MAXDNAME` bytes free. Do you think it will be useful to add a check of
encoded domain name length to prevent such an overflow? Any response would
be appreciated.

I'm aware that such long domain names are unusual and described scenario is
unlikely in real life, but I still wanted to highlight it.

Thank you in advance for your time and expertise!
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/attachments/20250711/4bd8b809/attachment.htm>

More information about the Dnsmasq-discuss mailing list