commit fa3c8ddef6712b52f562813317e6a997e1210123
Author: Simon Kelley <simon@thekelleys.org.uk>
Date:   Mon Mar 30 16:24:33 2026 +0100

    Fix buffer overflow vulnerability in extract_addresses() CVE-2026-5172
    
    Thanks to Hugo Martinez Ray for spotting this.
    
    The value of rdlen for an RR can be a lie, allowing the
    call to extract_name() at rfc1025.c:952 to advance the value of p1
    past the calculated end of the record. The makes the calculation
    of bytes remaining in the RR underflow to a huge number and results
    in a massive heap OOB read and certain crash.

diff --git a/src/rfc1035.c b/src/rfc1035.c
index f0e1082..7e05fb5 100644
--- a/src/rfc1035.c
+++ b/src/rfc1035.c
@@ -943,7 +943,8 @@ int extract_addresses(struct dns_header *header, size_t qlen, char *name, time_t
 			      /* Name, extract it then re-encode. */
 			      int len;
 			      
-			      if (!extract_name(header, qlen, &p1, name, EXTR_NAME_EXTRACT, 0))
+			      /* rdlen may lie, and extract_name() advances p1 past where it says the record ends. */
+			      if (!extract_name(header, qlen, &p1, name, EXTR_NAME_EXTRACT, 0) || (p1 > endrr))
 				{
 				  blockdata_free(addr.rrblock.rrdata);
 				  return 2;