Hi Ismail, you seem to keep dumping issues that might be potential security issues on the public mailing list, so I am putting your account on a moderation.
On top of that, you don't seem to even bother to look at the existing issues and just dumping LLM found issues on us. This is already being tracked as https://gitlab.isc.org/isc-projects/bind9/-/work_items/6097 and it is not a security issue. Ondrej -- Ondřej Surý (He/Him) [email protected] ADHD brain at work: I sometimes lose track of my inbox. Please feel free to send a gentle nudge if you're waiting on a reply! My working hours and your working hours may be different. Please do not feel obligated to reply outside your normal working hours. > On 2. 7. 2026, at 10:51, Ismail Ramzi <[email protected]> wrote: > > tostruct_nid() and tostruct_l64() read the 16-bit Preference field with > uint16_fromregion(), which only reads region->base[0..1] and does not > advance the region. Unlike the sibling tostruct_lp(), they are missing > the following isc_region_consume(®ion, 2), so at the memmove() the > region still has length 10 and still points at the start of the rdata: > > dns_rdata_toregion(rdata, ®ion); /* region.length == 10 */ > nid->pref = uint16_fromregion(®ion); /* does not consume */ > memmove(nid->nid, region.base, region.length); > > dns_rdata_nid_t.nid and dns_rdata_l64_t.l64 are fixed 8-byte trailing > arrays, and fromwire/fromtext pin rdata->length to exactly 10 for these > types. The memmove therefore copies 10 bytes into an 8-byte array, a > 2-byte out-of-bounds write past the caller-supplied structure, and also > stores the wrong bytes (the two Preference octets land in nid[0..1] > instead of the Node ID). > > This is reachable from dns_rdata_tostruct() on any valid NID (RFC 6742, > type 104) or L64 (type 106) record parsed from the network or a zone > file. > > Add the missing isc_region_consume(®ion, 2) so that exactly the > 8-byte locator is copied, matching tostruct_lp(). > > Signed-off-by: Ismail Ramzi <[email protected]> > --- > diff --git a/lib/dns/rdata/generic/l64_106.c b/lib/dns/rdata/generic/l64_106.c > index 5e9b42e..fb00ea1 100644 > --- a/lib/dns/rdata/generic/l64_106.c > +++ b/lib/dns/rdata/generic/l64_106.c > @@ -151,6 +151,7 @@ tostruct_l64(ARGS_TOSTRUCT) { > > dns_rdata_toregion(rdata, ®ion); > l64->pref = uint16_fromregion(®ion); > + isc_region_consume(®ion, 2); > memmove(l64->l64, region.base, region.length); > return ISC_R_SUCCESS; > } > diff --git a/lib/dns/rdata/generic/nid_104.c b/lib/dns/rdata/generic/nid_104.c > index 80d0533..ce53a8f 100644 > --- a/lib/dns/rdata/generic/nid_104.c > +++ b/lib/dns/rdata/generic/nid_104.c > @@ -151,6 +151,7 @@ tostruct_nid(ARGS_TOSTRUCT) { > > dns_rdata_toregion(rdata, ®ion); > nid->pref = uint16_fromregion(®ion); > + isc_region_consume(®ion, 2); > memmove(nid->nid, region.base, region.length); > return ISC_R_SUCCESS; > } > -- > Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from > this list. -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list.

