Skip to content

Cap DNS section counts to prevent oversized allocations#133

Open
Isusami wants to merge 1 commit intomasterking32:mainfrom
Isusami:feature/dns-parser-section-limit
Open

Cap DNS section counts to prevent oversized allocations#133
Isusami wants to merge 1 commit intomasterking32:mainfrom
Isusami:feature/dns-parser-section-limit

Conversation

@Isusami
Copy link
Copy Markdown

@Isusami Isusami commented Apr 13, 2026

Summary

Add a maxSectionCount (256) guard to reject DNS packets with absurdly large section counts before allocating slices, preventing memory-based DoS.

Changes

  • Add ErrSectionCountTooLarge error and maxSectionCount = 256 constant
  • Add bounds check in parseQuestions and parseResourceRecords before slice allocation
  • Add 6 new tests covering oversized QD/AN/NS/AR counts for both ParsePacket and ParsePacketLite

Why

A malformed DNS packet can claim 65535 questions or resource records. Without a cap, the parser allocates a huge slice before discovering the data is truncated. The limit of 256 is well above any legitimate DNS packet while preventing abuse.

Test plan

  • go test -race ./internal/dnsparser/... -- all 30 tests pass (including 6 new), race-clean

@Isusami
Cap DNS section counts to prevent oversized allocations
daa5a3c 
Add maxSectionCount (256) guard in parseQuestions and
parseResourceRecords to reject malformed packets with absurdly
large QD/AN/NS/AR counts before allocating slices. Includes 6
new tests covering all section types for both ParsePacket and
ParsePacketLite.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@Isusami