commit 4fdb707633afe8028118bcaf39b4882f634b5999
Author: Simon Kelley <simon@thekelleys.org.uk>
Date:   Fri Apr 10 16:24:02 2026 +0100

     Fix NSEC bitmap parsing infinite loop. CVE-2026-4890
    
     Report from Royce M <royce@xchglabs.com>.
    
     Location: dnssec.c:1290-1306, dnssec.c:1450-1463
    
    The bitmap window iteration advances by p[1] instead of p[1]+2
    (missing the 2-byte window header). With bitmap_length=0, both rdlen and p are
    unchanged, causing an infinite loop and dnsmasq stops responding to all queries.
    
    Reachable before RRSIG validation
    (confirmed by the source comment at line 2125), so no valid
    DNSSEC signatures are needed.

diff --git a/src/dnssec.c b/src/dnssec.c
index 4bb0495..3951620 100644
--- a/src/dnssec.c
+++ b/src/dnssec.c
@@ -1348,8 +1348,8 @@ static int prove_non_existence_nsec(struct dns_header *header, size_t plen, unsi
 		  break; /* finished checking */
 		}
 	      
-	      rdlen -= p[1];
-	      p +=  p[1];
+	      rdlen -= p[1] + 2;
+	      p +=  p[1] + 2;
 	    }
 	  
 	  return 0;
@@ -1512,8 +1512,8 @@ static int check_nsec3_coverage(struct dns_header *header, size_t plen, int dige
 			break; /* finished checking */
 		      }
 		    
-		    rdlen -= p[1];
-		    p +=  p[1];
+		    rdlen -= p[1] + 2;
+		    p +=  p[1] + 2;
 		  }
 		
 		return 1;