From c585e0659254530cb4820676b7d44540ac3e52ec Mon Sep 17 00:00:00 2001
From: James Stanley <james@incoherency.co.uk>
Date: Thu, 12 Jun 2025 10:47:58 +0100
Subject: [PATCH] Fix buffer overflow in dnscache (#3669)

`addr_no` and `alias_no` are calculated based on whichever is
smaller out of the actual number of addresses/aliases, and
`MAXADDRS-1`/`MAXALIASES-1`.

But then the code inserted all of the actual number of
addresses/aliases anyway, which makes for a potential buffer
overflow, and corrupted deserialisation later.
---
 modules/dns_cache/dns_cache.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/modules/dns_cache/dns_cache.c b/modules/dns_cache/dns_cache.c
index c42d825a796..5857b9370b0 100644
--- a/modules/dns_cache/dns_cache.c
+++ b/modules/dns_cache/dns_cache.c
@@ -223,7 +223,7 @@ static char* serialize_he_rdata(struct hostent *he,int *buf_len,int do_encoding)
 
 	/* copy aliases, if any */
 	if (he->h_aliases)
-		for (i=0;he->h_aliases[i];i++) {
+		for (i=0;i<alias_no;i++) {
 			len=strlen(he->h_aliases[i])+1;
 			/* copy alias length */
 			memcpy(p,&len,sizeof(int));
@@ -239,7 +239,7 @@ static char* serialize_he_rdata(struct hostent *he,int *buf_len,int do_encoding)
 
 	/* copy addresses */
 	if (he->h_addr_list)
-		for (i=0;he->h_addr_list[i];i++) {
+		for (i=0;i<addr_no;i++) {
 			/* copy addreses. length will be known from the addrtype field */
 			len=he->h_length;
 			memcpy(p,he->h_addr_list[i],len);