From 8a42919a8bd3f6f4ffb2982c108ff0c8c944bd56 Mon Sep 17 00:00:00 2001
From: Pieter Lexis <pieter.lexis@powerdns.com>
Date: Thu, 19 Apr 2018 11:01:13 +0200
Subject: [PATCH] EDNS: ensure the NSID fits in the return packet

---
 pdns/pdns_recursor.cc | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/pdns/pdns_recursor.cc b/pdns/pdns_recursor.cc
index c8c93c7d0..4aa1628e7 100644
--- a/pdns/pdns_recursor.cc
+++ b/pdns/pdns_recursor.cc
@@ -896,7 +896,8 @@ static void startDoResolve(void *p)
           dc->d_ecsFound = getEDNSSubnetOptsFromString(o.second, &dc->d_ednssubnet);
         } else if (o.first == EDNSOptionCode::NSID) {
           const static string mode_server_id = ::arg()["server-id"];
-          if(mode_server_id != "disabled" && !mode_server_id.empty()) {
+          if(mode_server_id != "disabled" && !mode_server_id.empty() &&
+              maxanswersize > (2 + 2 + mode_server_id.size())) {
             returnedEdnsOptions.push_back(make_pair(EDNSOptionCode::NSID, mode_server_id));
             variableAnswer = true; // Can't packetcache an answer with NSID
             // Option Code and Option Length are both 2
-- 
2.40.0