systemd-resolved through 233 allows remote attackers to cause a denial of service (daemon crash) via a crafted DNS response with an empty question section.
Created systemd tracking bugs for this issue:
Affects: fedora-all [bug 1455495]
The issue was introduced in systemd v225 by following commit:
The vulnerable code (dereferencing p->question->n_keys without first asserting on p->question) was first introduced in dns_transaction_process_reply function and later transferred to dns_packet_is_reply_for while doing refactoring in the following commit:
RHEL-7 ships systemd v219 that does not have this vulnerability.
This issue did not affect the versions of systemd as shipped with Red Hat Enterprise Linux 7.