DNS: Critical out-of-bounds read in the question skip loop #55
Description
while (pos < len && response[pos] != 0) { ... }
if (response[pos] == 0) pos++;
pos += 4;If the while exits because pos == len, the code still evaluates response[pos] (OOB) in if (response[pos] == 0).
That’s a straightforward OOB read bug that can be triggered by a truncated message with qdcount > 0.