commit 434d68f2eb1a58744470698483a3ae09b5a9a870
Author: Simon Kelley <simon@thekelleys.org.uk>
Date:   Wed Mar 25 23:22:37 2026 +0000

    Fix broken client subnet validation. CVE-2026-4893
    
    Bug report from Royce M <royce@xchglabs.com>
    
    Location: forward.c:713, edns0.c:421
    
    With --add-subnet enabled, process_reply() passes the OPT record
    length (~23 bytes) instead of the packet length to check_source().
    All internal bounds checks fail, and the function always returns 1.
    ECS source validation per RFC 7871 Section 9.2 is completely bypassed.

diff --git a/src/forward.c b/src/forward.c
index e2f64c0..208480d 100644
--- a/src/forward.c
+++ b/src/forward.c
@@ -724,7 +724,7 @@ static size_t process_reply(struct dns_header *header, time_t now, struct server
       /* Get extended RCODE. */
       rcode |= sizep[2] << 4;
       
-      if (option_bool(OPT_CLIENT_SUBNET) && !check_source(header, plen, pheader, query_source))
+      if (option_bool(OPT_CLIENT_SUBNET) && !check_source(header, n, pheader, query_source))
 	{
 	  my_syslog(LOG_WARNING, _("discarding DNS reply: subnet option mismatch"));
 	  return 0;