From 7543a2bb4d344b6709df45e4ba9aa4eadc2401af Mon Sep 17 00:00:00 2001
From: pkgagent <pkgagent@tencent.com>
Date: Mon, 15 Jun 2026 15:14:27 +0800
Subject: [PATCH] Fix CVE-2026-10846: off-path poisoning attack via UDP stub
 resolver

---
 ldns-1.7.0-multilib.patch       |  12 +-
 ldns-1.8.3-CVE-2026-10846.patch | 193 ++++++++++++++++++++++++++++++++
 ldns.spec                       |   9 +-
 3 files changed, 206 insertions(+), 8 deletions(-)
 create mode 100644 ldns-1.8.3-CVE-2026-10846.patch

diff --git a/ldns-1.7.0-multilib.patch b/ldns-1.7.0-multilib.patch
index 61f8de9..3290cd6 100644
--- a/ldns-1.7.0-multilib.patch
+++ b/ldns-1.7.0-multilib.patch
@@ -1,7 +1,7 @@
-diff --git a/ldns-1.8.1/packaging/ldns-config.in b/ldns-1.8.1/packaging/ldns-config.in
+diff --git a/packaging/ldns-config.in b/packaging/ldns-config.in
 index 623f77e..2b961f9 100755
---- a/ldns-1.8.1/packaging/ldns-config.in
-+++ b/ldns-1.8.1/packaging/ldns-config.in
+--- a/packaging/ldns-config.in
++++ b/packaging/ldns-config.in
 @@ -3,16 +3,28 @@
  prefix="@prefix@"
  exec_prefix="@exec_prefix@"
@@ -54,10 +54,10 @@ index 623f77e..2b961f9 100755
      fi
      if [ $arg = "--version" ]
      then
-diff --git a/ldns-1.8.1/packaging/libldns.pc.in b/ldns-1.8.1/packaging/libldns.pc.in
+diff --git a/packaging/libldns.pc.in b/packaging/libldns.pc.in
 index 923b688..3c30db8 100644
---- a/ldns-1.8.1/packaging/libldns.pc.in
-+++ b/ldns-1.8.1/packaging/libldns.pc.in
+--- a/packaging/libldns.pc.in
++++ b/packaging/libldns.pc.in
 @@ -1,7 +1,7 @@
  prefix=@prefix@
  exec_prefix=@exec_prefix@
diff --git a/ldns-1.8.3-CVE-2026-10846.patch b/ldns-1.8.3-CVE-2026-10846.patch
new file mode 100644
index 0000000..e5a68f5
--- /dev/null
+++ b/ldns-1.8.3-CVE-2026-10846.patch
@@ -0,0 +1,193 @@
+From: NLnet Labs <info@nlnetlabs.nl>
+Date: 2026
+Subject: [PATCH] Fix CVE-2026-10846: off-path poisoning attack via UDP stub resolver
+
+Check that the reply source address/port matches the query destination,
+that the reply ID matches the query ID, and that the question section
+matches before accepting the response.
+
+Adapted-by: PkgAgent/deepseek-v4 (modified to adapt to opencloudos-stream 1.8.3)
+diff --git a/error.c b/error.c
+index e3fd121..f046c96 100644
+--- a/error.c
++++ b/error.c
+@@ -184,6 +184,12 @@ ldns_lookup_table ldns_error_str[] = {
+ 	{ LDNS_STATUS_INVALID_SVCPARAM_VALUE,
+ 		"Invalid wireformat of a value "
+ 		"in the ServiceParam rdata field of SVCB or HTTPS RR" },
++	{ LDNS_STATUS_ID_DID_NOT_MATCH,
++		"Response ID did not match the query ID" },
++	{ LDNS_STATUS_QDCOUNT_MUST_BE_ONE,
++		"The query section MUST contain exactly one question" },
++	{ LDNS_STATUS_QUERY_DID_NOT_MATCH,
++		"The question in the response did not match the query" },
+ 	{ 0, NULL }
+ };
+ 
+diff --git a/ldns/error.h b/ldns/error.h
+index 2429b77..5754f5a 100644
+--- a/ldns/error.h
++++ b/ldns/error.h
+@@ -141,7 +141,10 @@ enum ldns_enum_status {
+ 	LDNS_STATUS_RESERVED_SVCPARAM_KEY,
+ 	LDNS_STATUS_NO_SVCPARAM_VALUE_EXPECTED,
+ 	LDNS_STATUS_SVCPARAM_KEY_MORE_THAN_ONCE,
+-	LDNS_STATUS_INVALID_SVCPARAM_VALUE
++	LDNS_STATUS_INVALID_SVCPARAM_VALUE,
++	LDNS_STATUS_ID_DID_NOT_MATCH,
++	LDNS_STATUS_QDCOUNT_MUST_BE_ONE,
++	LDNS_STATUS_QUERY_DID_NOT_MATCH
+ };
+ typedef enum ldns_enum_status ldns_status;
+ 
+diff --git a/net.c b/net.c
+index 57d4dff..215c0ca 100644
+--- a/net.c
++++ b/net.c
+@@ -441,6 +441,50 @@ ldns_udp_bgsend2(ldns_buffer *qbin,
+ 	return ldns_udp_bgsend_from(qbin, to, tolen, NULL, 0, timeout);
+ }
+ 
++/** helper sockaddr compare function. returns -1, 0 or 1. */
++static int
++ldns_sockaddr_cmp(const struct sockaddr_storage* addr1, socklen_t len1,
++	const struct sockaddr_storage* addr2, socklen_t len2)
++{
++	struct sockaddr_in* p1_in = (struct sockaddr_in*)addr1;
++	struct sockaddr_in* p2_in = (struct sockaddr_in*)addr2;
++	struct sockaddr_in6* p1_in6 = (struct sockaddr_in6*)addr1;
++	struct sockaddr_in6* p2_in6 = (struct sockaddr_in6*)addr2;
++	if(len1 < len2)
++		return -1;
++	if(len1 > len2)
++		return 1;
++	assert(len1 == len2);
++	if( p1_in->sin_family < p2_in->sin_family)
++		return -1;
++	if( p1_in->sin_family > p2_in->sin_family)
++		return 1;
++	assert( p1_in->sin_family == p2_in->sin_family );
++	/* compare ip4 */
++	if( p1_in->sin_family == AF_INET ) {
++		/* just order it, ntohs not required */
++		if(p1_in->sin_port < p2_in->sin_port)
++			return -1;
++		if(p1_in->sin_port > p2_in->sin_port)
++			return 1;
++		assert(p1_in->sin_port == p2_in->sin_port);
++		return memcmp(&p1_in->sin_addr, &p2_in->sin_addr,
++			sizeof(p1_in->sin_addr));
++	} else if (p1_in6->sin6_family == AF_INET6) {
++		/* just order it, ntohs not required */
++		if(p1_in6->sin6_port < p2_in6->sin6_port)
++			return -1;
++		if(p1_in6->sin6_port > p2_in6->sin6_port)
++			return 1;
++		assert(p1_in6->sin6_port == p2_in6->sin6_port);
++		return memcmp(&p1_in6->sin6_addr, &p2_in6->sin6_addr,
++			sizeof(p1_in6->sin6_addr));
++	} else {
++		/* eek unknown type, perform this comparison for sanity. */
++		return memcmp(addr1, addr2, len1);
++	}
++}
++
+ static ldns_status
+ ldns_udp_send_from(uint8_t **result, ldns_buffer *qbin,
+ 		const struct sockaddr_storage *to  , socklen_t tolen,
+@@ -449,6 +493,8 @@ ldns_udp_send_from(uint8_t **result, ldns_buffer *qbin,
+ {
+ 	int sockfd;
+ 	uint8_t *answer;
++	struct sockaddr_storage reply_addr;
++	socklen_t reply_addr_len;
+ 
+ 	sockfd = ldns_udp_bgsend_from(qbin, to, tolen, from, fromlen, timeout);
+ 
+@@ -467,13 +513,21 @@ ldns_udp_send_from(uint8_t **result, ldns_buffer *qbin,
+          * but returns a 'NETWORK_ERROR' much like a timeout. */
+         ldns_sock_nonblock(sockfd);
+ 
+-	answer = ldns_udp_read_wire(sockfd, answer_size, NULL, NULL);
++	reply_addr_len = sizeof(reply_addr);
++	memset(&reply_addr, 0, reply_addr_len);
++	answer = ldns_udp_read_wire(sockfd, answer_size, &reply_addr,
++		&reply_addr_len);
+ 	close_socket(sockfd);
+ 
+ 	if (!answer) {
+ 		/* oops */
+ 		return LDNS_STATUS_NETWORK_ERR;
+ 	}
++	/* Check that the reply came from the to addr. */
++	if(ldns_sockaddr_cmp(to, tolen, &reply_addr, reply_addr_len) != 0) {
++		free(answer);
++		return LDNS_STATUS_NETWORK_ERR;
++	}
+ 
+ 	*result = answer;
+ 	return LDNS_STATUS_OK;
+@@ -512,6 +566,10 @@ ldns_send_buffer(ldns_pkt **result, ldns_resolver *r, ldns_buffer *qb, ldns_rdf
+ 
+ 	assert(r != NULL);
+ 
++	/* The query should at least have one question */
++	if(ldns_buffer_limit(qb) < 6 || ldns_buffer_read_u16_at(qb, 4) != 1)
++		return LDNS_STATUS_QDCOUNT_MUST_BE_ONE;
++
+ 	status = LDNS_STATUS_OK;
+ 	rtt = ldns_resolver_rtt(r);
+ 	ns_array = ldns_resolver_nameservers(r);
+@@ -599,6 +657,16 @@ ldns_send_buffer(ldns_pkt **result, ldns_resolver *r, ldns_buffer *qb, ldns_rdf
+ 			ldns_resolver_set_nameserver_rtt(r, i, LDNS_RESOLV_RTT_INF);
+ 			status = send_status;
+ 		}
++		if(reply_bytes && ldns_buffer_limit(qb) >= 2) {
++			uint16_t txid = ldns_buffer_read_u16_at(qb, 0);
++			if(reply_size < 2 ||
++				ldns_read_uint16(reply_bytes) != txid) {
++				status = LDNS_STATUS_ID_DID_NOT_MATCH;
++				LDNS_FREE(reply_bytes);
++				reply_bytes = NULL;
++				reply_size = 0;
++			}
++		}
+ 		
+ 		/* obey the fail directive */
+ 		if (!reply_bytes) {
+@@ -608,7 +676,7 @@ ldns_send_buffer(ldns_pkt **result, ldns_resolver *r, ldns_buffer *qb, ldns_rdf
+ 					LDNS_FREE(src);
+ 				}
+ 				LDNS_FREE(ns);
+-				return LDNS_STATUS_ERR;
++				return status ? status : LDNS_STATUS_ERR;
+ 			} else {
+ 				LDNS_FREE(ns);
+ 				continue;
+@@ -670,6 +738,26 @@ ldns_send_buffer(ldns_pkt **result, ldns_resolver *r, ldns_buffer *qb, ldns_rdf
+ #endif /* HAVE_SSL */
+ 
+ 	LDNS_FREE(reply_bytes);
++	if (reply) {
++		ldns_pkt *query = NULL;
++
++		if(ldns_pkt_qdcount(reply) != 1) {
++			status = LDNS_STATUS_QDCOUNT_MUST_BE_ONE;
++			ldns_pkt_free(reply);
++			reply = NULL;
++
++		} else if(ldns_wire2pkt(&query
++		                , ldns_buffer_begin(qb)
++		                , ldns_buffer_position(qb)) != LDNS_STATUS_OK
++		|| ldns_pkt_qdcount(query) != 1
++		|| ldns_rr_compare(ldns_rr_list_rr(ldns_pkt_question(query),0)
++		                  ,ldns_rr_list_rr(ldns_pkt_question(reply),0))){
++			status = LDNS_STATUS_QUERY_DID_NOT_MATCH;
++			ldns_pkt_free(reply);
++			reply = NULL;
++		}
++		ldns_pkt_free(query);
++	}
+ 	if (result) {
+ 		*result = reply;
+ 	}
diff --git a/ldns.spec b/ldns.spec
index 7ed12d6..fab5804 100644
--- a/ldns.spec
+++ b/ldns.spec
@@ -17,12 +17,13 @@
 Summary:       Low-level DNS(SEC) library with API
 Name:          ldns
 Version:       1.8.3
-Release:       9%{?dist}
+Release:       10%{?dist}
 License:       BSD-3-Clause
 Url:           https://www.nlnetlabs.nl/%{name}/
 Source0:       https://www.nlnetlabs.nl/downloads/%{name}/%{name}-%{version}.tar.gz
 
 Patch3000:     ldns-1.7.0-multilib.patch
+Patch0001:     ldns-1.8.3-CVE-2026-10846.patch
 
 BuildRequires: gcc make libpcap-devel openssl-devel gcc-c++ doxygen gnupg2
 BuildRequires: python3-devel swig perl-devel perl-ExtUtils-MakeMaker
@@ -71,7 +72,7 @@ Perl extensions for ldns
 %autosetup -cn %{pkgname} -N
 pushd %{pkgname}
 
-%autopatch -p2
+%autopatch -p1
 sed -i "s/@includedir@/@includedir@\/ldns/" packaging/libldns.pc.in
 cp -pr doc LICENSE README* Changelog ../
 cp -p contrib/ldnsx/LICENSE ../LICENSE.ldnsx
@@ -183,6 +184,10 @@ rm -rf doc/man
 %{_mandir}/man3/*.3pm.gz
 
 %changelog
+* Mon Jun 15 2026 PkgAgent Robot <pkgagent@opencloudos.tech> - 1.8.3-10
+- [Type] security
+- [DESC] Fix CVE-2026-10846: off-path poisoning attack via UDP stub resolver
+
 * Thu Sep 26 2024 OpenCloudOS Release Engineering <releng@opencloudos.tech> - 1.8.3-9
 - Rebuilt for clarifying the packages requirement in BaseOS and AppStream
 
-- 
Gitee