## Fix Summary The fix adds explicit bounds checks in the mDNS response construction path (`handle_mdns_query`) before writing PTR/TXT/SRV/A response records into a fixed-size stack buffer (`buf`, 282 bytes). If the computed response size exceeds `sizeof(buf)`, the function now returns early, preventing the unbounded `build_txt_record()`/record-construction writes that previously caused a stack buffer overflow. ## Changes Made - `mongoose/src/dns.c` - Added size guards for all mDNS response branches in `handle_mdns_query`: - PTR response path (PTR + SRV + TXT + A) - TXT response path - SRV response path (SRV + A) - A response path - `mongoose/mongoose.c` - Applied the same bounds checks in the amalgamated build file to keep behavior consistent with `src/dns.c` builds. - `coding/proposed_fix.diff` - Unified diff containing only the above security fix. ## Verification Steps 1. Created and ran `coding/verify_fix.sh`. 2. Script workflow: - Resets repo to vulnerable commit: `0d882f1b^` - Builds ASAN-instrumented mDNS harness - Sends crafted PTR queries that force a 300-byte TXT record - Confirms vulnerable build crashes with stack overflow - Applies `coding/proposed_fix.diff` - Rebuilds and reruns same exploit traffic - Confirms no ASAN overflow after patch, while request handling still occurs 3. Command run: - `./coding/verify_fix.sh` 4. Key output: - `[+] Verification successful` - `Vulnerable run: overflow reproduced` - `Patched run: overflow blocked` Evidence files: - Vulnerable crash: `coding/logs/vuln_server.log` (contains `AddressSanitizer: stack-buffer-overflow` in `build_txt_record`/`handle_mdns_query`) - Patched behavior: `coding/logs/fixed_server.log` (shows repeated `Got mDNS request! Type=12` with no ASAN overflow) ## Test Results - **Vulnerable baseline:** PASS (overflow reproduced) - ASAN reports stack-buffer-overflow on mDNS PTR-triggered TXT write. - **Patched build:** PASS (overflow prevented) - No ASAN stack-buffer-overflow under the same exploit input. - mDNS requests are still parsed/handled (functional behavior preserved). Edge cases exercised: - Repeated exploit attempts (multiple PTR packets) against patched target did not crash. - The patch includes protections for PTR/TXT/SRV/A response branches, not just the demonstrated PTR trigger path. ## Remaining Concerns - Verification focuses on the known high-impact trigger (PTR -> oversized TXT). Additional fuzz/property tests across malformed DNS names and extreme length combinations would further strengthen confidence. - The current fix relies on manual per-branch size formulas; future hardening could centralize size accounting to reduce maintenance risk.