> Note that it's not possible to reach this code with a DoH dns parameter > value containing any character greater than 0x7F at present, as the > parser used to extract the value before calling this code is extremely > strict and will reject the query. There is no other use of this code as > of this writing.
Thanks, that matches what I found tracing the callers - I couldn't get a high-bit byte through the front-end parser either, so I agree this isn't reachable today and the practical impact is nil. I sent it as hardening of the decoder itself so it stays safe if it's ever called from a less strict path. > While the signed issue here should be fixed in my personal opinion, this > issue is purely theoretical at this point. Agreed on both counts. > In any case, the bind-users is a wrong place to report bugs like this. I > would ask the OP to report this as an issue in our GitLab [...] Understood, sorry for the noise here. I'll open a GitLab issue with the details and the patch so it doesn't get lost, and drop the theoretical/ not-currently-reachable context in there too. Ismail -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list.

