Security #7464: doh2: buffer is not really limited to 65K as should be for DNS - Suricata - Open Information Security Foundation

Actions

Security #7464

closed

doh2: buffer is not really limited to 65K as should be for DNS

Added by Philippe Antoine 10 months ago. Updated 3 months ago.

Status:

Closed

Priority:

Normal

Assignee:

Philippe Antoine

Target version:

Affected Versions:

Label:

CVE:

Git IDs:

Severity:

MODERATE

Disclosure Date:

03/17/2025

Description

Found by oss-fuzz:
https://issues.oss-fuzz.com/u/1/issues/383880388

No need to backport as DOH2 is only in master

Actions

#1

Updated by Philippe Antoine 10 months ago

Status changed from New to In Review

Gitlab MR

Actions

#2

Updated by Philippe Antoine 10 months ago

https://github.com/OISF/suricata/pull/12294

Actions

#3

Updated by Jason Ish 10 months ago

Can we change the title? The current one seems ambiguous, perhaps:

doh2: enforce maximum buffer size of 65k

Actions

#4

Updated by Philippe Antoine 10 months ago

Please do.

What was ambiguous ?

For information, there was a check for this 65K limit, but an incomplete one

Actions

#5

Updated by Jason Ish 10 months ago

"not really limited".. Could be... Should be limited to 65k. Or should not be limited to 65k for whatever reason. So I'm not clear if the fix is enforce a 65k limit? Or something else.

Actions

#6

Updated by Philippe Antoine 10 months ago

Jason Ish wrote in #note-5:

"not really limited".. Could be... Should be limited to 65k. Or should not be limited to 65k for whatever reason. So I'm not clear if the fix is enforce a 65k limit? Or something else.

The fix is indeed to really enforce the limit to 65K because the current enforcing does not work in all cases

Actions

#7

Updated by Philippe Antoine 10 months ago

Status changed from In Review to Closed

https://github.com/OISF/suricata/pull/12305

Actions

#8

Updated by Jason Ish 3 months ago

Private changed from Yes to No

Actions

Also available in: Atom PDF