Security #8584
Updated by Jason Ish 17 days ago
Freshdesk ticket: https://suricata.freshdesk.com/a/tickets/135
Freshdesk finding: M-4
Freshdesk created: 2026-05-19T17:58:20Z
Reporter-stated severity: MEDIUM
## Summary
The DNS name parser accepts forward compression pointers. RFC 1035 section 4.1.4 requires compression pointers to point backwards to a previous occurrence. Suricata only validates the upper bound and detects immediate self-reference, but does not validate that the pointer offset is before the current position.
## Affected Code
File: `rust/src/dns/parser.rs:92-116`
The DNS parser is reused by mDNS via `rust/src/mdns/mdns.rs:39`.
```rust
let offset = usize::from(leader) & 0x3fff;
if offset > message.len() { // only validates upper bound
return Err(...);
}
// Does NOT validate offset < current_position
pos = &message[offset..];
```
## Impact
Real resolvers such as BIND and Unbound reject forward pointers. An attacker can construct DNS messages where Suricata resolves a different name than the actual resolver, evading `dns.query` content or PCRE rules.
## Suggested Fix
Add validation to enforce backwards-only pointers per RFC 1035:
```rust
if offset >= current_position { return Err(...); }
```
## Environment
Suricata main branch @ commit 367ca7f (post v8.0.1, May 15, 2026).
## Credit
Reported by Chris Ramos.