ODOH: check padding of plaintext, not ciphertext

jedisct1 · jedisct1 · commit 6cb6faf8d3d9 · 2025-11-26T12:48:06.000+01:00
diff --git a/dnscrypt-proxy/oblivious_doh.go b/dnscrypt-proxy/oblivious_doh.go
@@ -179,9 +179,12 @@ func (q ODoHQuery) decryptResponse(response []byte) ([]byte, error) {
 	}
 
 	responseLength := binary.BigEndian.Uint16(responsePlaintext[0:2])
+	if int(responseLength)+2 > len(responsePlaintext) {
+		return nil, fmt.Errorf("Malformed response")
+	}
 	valid := 1
 	for i := 4 + int(responseLength); i < len(responsePlaintext); i++ {
-		valid &= subtle.ConstantTimeByteEq(response[i], 0x00)
+		valid &= subtle.ConstantTimeByteEq(responsePlaintext[i], 0x00)
 	}
 	if valid != 1 {
 		return nil, fmt.Errorf("Malformed response")

Original file line number	Diff line number	Diff line change
`@@ -179,9 +179,12 @@ func (q ODoHQuery) decryptResponse(response []byte) ([]byte, error) {`
`179`	`179`	`}`
`180`	`180`
`181`	`181`	`responseLength := binary.BigEndian.Uint16(responsePlaintext[0:2])`
	`182`	`+ if int(responseLength)+2 > len(responsePlaintext) {`
	`183`	`+ return nil, fmt.Errorf("Malformed response")`
	`184`	`+ }`
`182`	`185`	`valid := 1`
`183`	`186`	`for i := 4 + int(responseLength); i < len(responsePlaintext); i++ {`
`184`		`- valid &= subtle.ConstantTimeByteEq(response[i], 0x00)`
	`187`	`+ valid &= subtle.ConstantTimeByteEq(responsePlaintext[i], 0x00)`
`185`	`188`	`}`
`186`	`189`	`if valid != 1 {`
`187`	`190`	`return nil, fmt.Errorf("Malformed response")`