A flaw was found in edk2. The DNS driver only checks the received packet size against the minimum DNS header size in DnsOnPacketReceived(), later it accesses the QueryName and QuerySection beyond the header scope, which might cause the pointer within DNS driver points to an invalid entry or modifies the memory content beyond the header scope.
Created edk2 tracking bugs for this issue:
Affects: epel-all [bug 1683331]
Affects: fedora-all [bug 1683330]
This issue did not affect the versions of OVMF as shipped with Red Hat Enterprise Linux 7 as they were not compiled with HTTP_BOOT_ENABLE set, thus they do not contain the vulnerable code.