Comment 0 for bug 1695546

Certain sizes passed to dns_packet_new can cause it to allocate a buffer that's too small. On x86, a page-aligned number - 80 will do this. Eg, calling dns_packet_new with a size of 4016 will result in an allocation of 4096, but 108 bytes of this are for the DnsPacket struct.

A malicious TCP server can exploit this with specially crafted responses to trick systemd-resolved in to allocating a buffer that's too small, which allows it to write arbitrary data beyond the end of it.

To demonstrate this you can run the attached python script. This is a mock DNS server that sends a response where the first two bytes specify a size of 4016 (note, this size is picked to trigger an out of bounds write on x86 - you'll probably need to pick a different number for x86-64). You'll also need to temporarily set your DNS server to 127.0.0.1.