# Patch Analysis for CVE-2026-5245 ## Overview This document analyzes the fix for CVE-2026-5245 (mDNS Stack Buffer Overflow) in Cesanta Mongoose to identify potential bypasses or variant attack paths. ## The Fix (Commit 0d882f1b) The fix adds bounds checking in `handle_mdns_query()` before building mDNS response records. The vulnerable buffer is: ```c uint8_t buf[sizeof(struct mg_dns_header) + 256 + sizeof(mdns_answer) + 4]; // = 12 + 256 + 10 + 4 = 282 bytes ``` ### Bounds Checks Added 1. **PTR Query Path** (lines 490-493): ```c if ((sizeof(*h) + req.r->srvcproto.len + 8 + respname->len + 13 + 2 + respname->len + 19 + 2 + req.r->txt.len + 10 + 2 + 14) > sizeof(buf)) return; // srv name + PTR + 2 + SRV + 2 + TXT + 2 + A ``` 2. **TXT Query Path** (lines 514-516): ```c if ((sizeof(*h) + req.r->srvcproto.len + 8 + req.r->txt.len + 10) > sizeof(buf)) return; // srv name + TXT ``` 3. **SRV Query Path** (lines 521-524): ```c if ((sizeof(*h) + req.r->srvcproto.len + 8 + respname->len + 19 + 2 + 14) > sizeof(buf)) // srv name + SRV + 2 + A return; ``` 4. **A Record Query Path** (lines 536-538): ```c if ((sizeof(*h) + respname->len + 8 + 14) > sizeof(buf)) // name + A return; ``` ## Fix Analysis ### What the Fix Covers - All 4 mDNS query types (PTR, TXT, SRV, A) now have explicit bounds checks - Each check calculates the total response size before constructing it - If the calculated size exceeds the 282-byte buffer, the function returns early ### Fix Assumptions 1. **Size calculation is correct**: The fix assumes the formula correctly computes the total response size 2. **All entry points covered**: The fix assumes all mDNS query entry points (PTR, TXT, SRV, A) are covered 3. **No integer overflow**: The fix assumes no integer overflow in size calculations ### Potential Bypass Vectors #### 1. Integer Overflow in Size Calculation The bounds check uses addition of multiple size_t values. If any field length is maliciously crafted to cause integer overflow, the check could pass while still overflowing the buffer. **Analysis**: Low probability - the buffer is only 282 bytes, and the fields would need to be extremely large to cause overflow. #### 2. Alternative Entry Points The fix only covers `handle_mdns_query()`. The function `handle_mdns_response()` also processes mDNS packets but doesn't build responses with user-controlled data in the same way. **Analysis**: `handle_mdns_response()` only parses incoming responses and doesn't use the vulnerable buffer pattern. #### 3. Partial Query Matches The original repro uses PTR queries. Testing other query types (TXT, SRV, A) with oversized data may reveal gaps. **Analysis**: The fix explicitly covers all 4 query types, so this should be protected. #### 4. Response Construction Order The bounds check happens once at the beginning, but the response is built piece by piece. If there's any discrepancy between the calculated size and actual construction, a bypass might exist. **Analysis**: The formulas appear comprehensive, matching the actual build sequence. ## Variant Test Strategy To verify the completeness of the fix, we will test: 1. **TXT Query Variant**: Direct TXT query with oversized TXT record (300+ bytes) 2. **SRV Query Variant**: SRV query with oversized service name 3. **A Record Variant**: A record query with oversized hostname Each variant will be tested on both: - Vulnerable version (1bb85799) - should trigger overflow - Fixed version (0d882f1b) - should be blocked by bounds check ## Conclusion The fix appears comprehensive, covering all mDNS query types with explicit bounds checking. However, variant testing is necessary to confirm no gaps exist in the protection.