Hi Ismail,

you seem to keep dumping issues that might be potential security issues
on the public mailing list, so I am putting your account on a moderation.

On top of that, you don't seem to even bother to look at the existing issues
and just dumping LLM found issues on us.

This is already being tracked as 
https://gitlab.isc.org/isc-projects/bind9/-/work_items/6097
and it is not a security issue.

Ondrej
--
Ondřej Surý (He/Him)
[email protected]

ADHD brain at work: I sometimes lose track of my inbox. Please feel free to 
send a gentle nudge if you're waiting on a reply!

My working hours and your working hours may be different. Please do not feel 
obligated to reply outside your normal working hours.

> On 2. 7. 2026, at 10:51, Ismail Ramzi <[email protected]> wrote:
> 
> tostruct_nid() and tostruct_l64() read the 16-bit Preference field with
> uint16_fromregion(), which only reads region->base[0..1] and does not
> advance the region. Unlike the sibling tostruct_lp(), they are missing
> the following isc_region_consume(&region, 2), so at the memmove() the
> region still has length 10 and still points at the start of the rdata:
> 
> dns_rdata_toregion(rdata, &region);        /* region.length == 10 */
> nid->pref = uint16_fromregion(&region);    /* does not consume */
> memmove(nid->nid, region.base, region.length);
> 
> dns_rdata_nid_t.nid and dns_rdata_l64_t.l64 are fixed 8-byte trailing
> arrays, and fromwire/fromtext pin rdata->length to exactly 10 for these
> types. The memmove therefore copies 10 bytes into an 8-byte array, a
> 2-byte out-of-bounds write past the caller-supplied structure, and also
> stores the wrong bytes (the two Preference octets land in nid[0..1]
> instead of the Node ID).
> 
> This is reachable from dns_rdata_tostruct() on any valid NID (RFC 6742,
> type 104) or L64 (type 106) record parsed from the network or a zone
> file.
> 
> Add the missing isc_region_consume(&region, 2) so that exactly the
> 8-byte locator is copied, matching tostruct_lp().
> 
> Signed-off-by: Ismail Ramzi <[email protected]>
> ---
> diff --git a/lib/dns/rdata/generic/l64_106.c b/lib/dns/rdata/generic/l64_106.c
> index 5e9b42e..fb00ea1 100644
> --- a/lib/dns/rdata/generic/l64_106.c
> +++ b/lib/dns/rdata/generic/l64_106.c
> @@ -151,6 +151,7 @@ tostruct_l64(ARGS_TOSTRUCT) {
> 
> dns_rdata_toregion(rdata, &region);
> l64->pref = uint16_fromregion(&region);
> + isc_region_consume(&region, 2);
> memmove(l64->l64, region.base, region.length);
> return ISC_R_SUCCESS;
> }
> diff --git a/lib/dns/rdata/generic/nid_104.c b/lib/dns/rdata/generic/nid_104.c
> index 80d0533..ce53a8f 100644
> --- a/lib/dns/rdata/generic/nid_104.c
> +++ b/lib/dns/rdata/generic/nid_104.c
> @@ -151,6 +151,7 @@ tostruct_nid(ARGS_TOSTRUCT) {
> 
> dns_rdata_toregion(rdata, &region);
> nid->pref = uint16_fromregion(&region);
> + isc_region_consume(&region, 2);
> memmove(nid->nid, region.base, region.length);
> return ISC_R_SUCCESS;
> }
> -- 
> Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
> this list.

-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list.

Reply via email to