commit ec2fbfbbdaa7d7db1c707dce26ce1a37cfe09660
Author: Simon Kelley <simon@thekelleys.org.uk>
Date:   Fri Apr 10 16:29:31 2026 +0100

    Fix buffer overflow in struct bigname.  CVE-2026-2291
    
    All buffers capable of holding a domain name should be
    at least MAXDNAME*2 + 1 bytes long, where MAXDNAME is the maximum
    size of a domain name. The accounts for the trailing zero and the
    fact that some characters are escaped in the internal representation
    of a domain name in dnsmasq.
    
    The declaration of struct bigname get this wrong, with the effect
    that a remote attacker capable of asking DNS queries or answering DNS
    queries can cause a large OOB write in the heap.
    
    This was first spotted by Andrew S. Fasano.

diff --git a/src/dnsmasq.h b/src/dnsmasq.h
index 254bacd..58be09f 100644
--- a/src/dnsmasq.h
+++ b/src/dnsmasq.h
@@ -479,7 +479,7 @@ struct interface_name {
 };
 
 union bigname {
-  char name[MAXDNAME];
+  char name[(2*MAXDNAME) + 1];
   union bigname *next; /* freelist */
 };