Suricata

1. Summary

The DNS name parser accepts forward compression pointers. RFC 1035 section 4.1.4 requires compression pointers to point backwards to a previous occurrence. Suricata only validates the upper bound and detects immediate self-reference, but does not validate that the pointer offset is before the current position.

1. Affected Code

File: `rust/src/dns/parser.rs:92-116`

The DNS parser is reused by mDNS via `rust/src/mdns/mdns.rs:39`.

```rust
let offset = usize::from(leader) & 0x3fff;
if offset > message.len() { // only validates upper bound
return Err(...);
}
// Does NOT validate offset < current_position
pos = &message[offset..];
```

1. Impact

Real resolvers such as BIND and Unbound reject forward pointers. An attacker can construct DNS messages where Suricata resolves a different name than the actual resolver, evading `dns.query` content or PCRE rules.

1. Suggested Fix

Add validation to enforce backwards-only pointers per RFC 1035:

```rust
if offset >= current_position { return Err(...); }
```

1. Environment

Suricata main branch @ commit 367ca7f (post v8.0.1, May 15, 2026).

1. Credit

Reported by Chris Ramos.