dnsmasq: CVE-2017-14496

Invalid boundary checks here. Integer underflow leading to a huge memcpy. References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2017-14496 https://security.googleblog.com/2017/10/behind-masq-yet-more-dns-and-dhcp.html Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com> Signed-off-by: Adrian Dudau <adrian.dudau@enea.com>
author: Sona Sarmadi <sona.sarmadi@enea.com> 2017-10-04 12:34:29 +0200
committer: Adrian Dudau <adrian.dudau@enea.com> 2017-10-04 15:28:01 +0200
commit: c65b24cdfd9edbc25796ba7db9a9ca68513324e9 (patch)
tree: 0efeceeac14716631dcc99b73650dadcc8cf4b0f
parent: 91b02ae7ac707984cd5182bb39c2fe8086a1696f (diff)
download: meta-el-common-c65b24cdfd9edbc25796ba7db9a9ca68513324e9.tar.gz
2 files changed, 95 insertions, 0 deletions
diff --git a/recipes-networking/dnsmasq/dnsmasq/CVE-2017-14496.patch b/recipes-networking/dnsmasq/dnsmasq/CVE-2017-14496.patch
new file mode 100644
index 0000000..333a890
--- /dev/null
+++ b/recipes-networking/dnsmasq/dnsmasq/CVE-2017-14496.patch
@@ -0,0 +1,94 @@
+From 897c113fda0886a28a986cc6ba17bb93bd6cb1c7 Mon Sep 17 00:00:00 2001
+From: Simon Kelley <simon@thekelleys.org.uk>
+Date: Mon, 25 Sep 2017 20:11:58 +0100
+Subject: [PATCH] Security fix, CVE-2017-14496, Integer underflow in DNS
+ response creation.
+Fix DoS in DNS. Invalid boundary checks in the
+add_pseudoheader function allows a memcpy call with negative
+size An attacker which can send malicious DNS queries
+to dnsmasq can trigger a DoS remotely.
+dnsmasq is vulnerable only if one of the following option is
+specified: --add-mac, --add-cpe-id or --add-subnet.
+CVE: CVE-2017-14496
+Upstream-Status: Backport
+Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
+---
+ CHANGELOG   |   11 +++++++++++
+ src/edns0.c |   13 ++++++++++++-
+ 2 files changed, 23 insertions(+), 1 deletion(-)
+diff --git a/CHANGELOG b/CHANGELOG
+index d1cc074..8fe00ed 100644
+--- a/CHANGELOG
+++ b/CHANGELOG
+@@ -60,6 +60,17 @@ version 2.78
+        and Kevin Hamacher of the Google Security Team for
+        finding this.
+        
+       Fix DoS in DNS. Invalid boundary checks in the
+       add_pseudoheader function allows a memcpy call with negative
+       size An attacker which can send malicious DNS queries
+       to dnsmasq can trigger a DoS remotely.
+       dnsmasq is vulnerable only if one of the following option is
+       specified: --add-mac, --add-cpe-id or --add-subnet.
+       CVE-2017-14496 applies.
+       Credit to Felix Wilhelm, Fermin J. Serna, Gabriel Campana
+       and Kevin Hamacher of the Google Security Team for
+       finding this.
+       
+        
+ version 2.77
+        Generate an error when configured with a CNAME loop,
+diff --git a/src/edns0.c b/src/edns0.c
+index f5b798c..95b74ee 100644
+--- a/src/edns0.c
+++ b/src/edns0.c
+@@ -144,7 +144,7 @@ size_t add_pseudoheader(struct dns_header *header, size_t plen, unsigned char *l
+          GETSHORT(len, p);
+          
+          /* malformed option, delete the whole OPT RR and start again. */
+-         if (i + len > rdlen)
+         if (i + 4 + len > rdlen)
+            {
+              rdlen = 0;
+              is_last = 0;
+@@ -193,6 +193,8 @@ size_t add_pseudoheader(struct dns_header *header, size_t plen, unsigned char *l
+                             ntohs(header->ancount) + ntohs(header->nscount) + ntohs(header->arcount), 
+                             header, plen)))
+        return plen;
+      if (p + 11 > limit)
+       return plen; /* Too big */
+       *p++ = 0; /* empty name */
+       PUTSHORT(T_OPT, p);
+       PUTSHORT(udp_sz, p); /* max packet length, 512 if not given in EDNS0 header */
+@@ -204,6 +206,11 @@ size_t add_pseudoheader(struct dns_header *header, size_t plen, unsigned char *l
+       /* Copy back any options */
+       if (buff)
+        {
+          if (p + rdlen > limit)
+          {
+            free(buff);
+            return plen; /* Too big */
+          }
+          memcpy(p, buff, rdlen);
+          free(buff);
+          p += rdlen;
+@@ -220,8 +227,12 @@ size_t add_pseudoheader(struct dns_header *header, size_t plen, unsigned char *l
+   /* Add new option */
+   if (optno != 0 && replace != 2)
+     {
+      if (p + 4 > limit)
+       return plen; /* Too big */
+       PUTSHORT(optno, p);
+       PUTSHORT(optlen, p);
+      if (p + optlen > limit)
+       return plen; /* Too big */
+       memcpy(p, opt, optlen);
+       p += optlen;  
+       PUTSHORT(p - datap, lenp);
+-- 
+1.7.10.4
diff --git a/recipes-networking/dnsmasq/dnsmasq_%.bbappend b/recipes-networking/dnsmasq/dnsmasq_%.bbappend
index c0c4633..07f8a6c 100644
--- a/recipes-networking/dnsmasq/dnsmasq_%.bbappend
+++ b/recipes-networking/dnsmasq/dnsmasq_%.bbappend
@@ -6,4 +6,5 @@ SRC_URI += "file://0001-CVE-2017-14491.patch \
    file://CVE-2017-14492.patch \
    file://CVE-2017-14493.patch \
    file://CVE-2017-14494.patch \
+    file://CVE-2017-14496.patch \
 "
author	Sona Sarmadi <sona.sarmadi@enea.com>	2017-10-04 12:34:29 +0200
committer	Adrian Dudau <adrian.dudau@enea.com>	2017-10-04 15:28:01 +0200
commit	c65b24cdfd9edbc25796ba7db9a9ca68513324e9 (patch)
tree	0efeceeac14716631dcc99b73650dadcc8cf4b0f
parent	91b02ae7ac707984cd5182bb39c2fe8086a1696f (diff)
download	meta-el-common-c65b24cdfd9edbc25796ba7db9a9ca68513324e9.tar.gz

diff --git a/recipes-networking/dnsmasq/dnsmasq/CVE-2017-14496.patch b/recipes-networking/dnsmasq/dnsmasq/CVE-2017-14496.patch new file mode 100644 index 0000000..333a890 --- /dev/null +++ b/recipes-networking/dnsmasq/dnsmasq/CVE-2017-14496.patch
@@ -0,0 +1,94 @@
		1	From 897c113fda0886a28a986cc6ba17bb93bd6cb1c7 Mon Sep 17 00:00:00 2001
		2	From: Simon Kelley <simon@thekelleys.org.uk>
		3	Date: Mon, 25 Sep 2017 20:11:58 +0100
		4	Subject: [PATCH] Security fix, CVE-2017-14496, Integer underflow in DNS
		5	response creation.
		6
		7	Fix DoS in DNS. Invalid boundary checks in the
		8	add_pseudoheader function allows a memcpy call with negative
		9	size An attacker which can send malicious DNS queries
		10	to dnsmasq can trigger a DoS remotely.
		11	dnsmasq is vulnerable only if one of the following option is
		12	specified: --add-mac, --add-cpe-id or --add-subnet.
		13
		14	CVE: CVE-2017-14496
		15	Upstream-Status: Backport
		16
		17	Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
		18	---
		19	CHANGELOG \| 11 +++++++++++
		20	src/edns0.c \| 13 ++++++++++++-
		21	2 files changed, 23 insertions(+), 1 deletion(-)
		22
		23	diff --git a/CHANGELOG b/CHANGELOG
		24	index d1cc074..8fe00ed 100644
		25	--- a/CHANGELOG
		26	+++ b/CHANGELOG
		27	@@ -60,6 +60,17 @@ version 2.78
		28	and Kevin Hamacher of the Google Security Team for
		29	finding this.
		30
		31	+ Fix DoS in DNS. Invalid boundary checks in the
		32	+ add_pseudoheader function allows a memcpy call with negative
		33	+ size An attacker which can send malicious DNS queries
		34	+ to dnsmasq can trigger a DoS remotely.
		35	+ dnsmasq is vulnerable only if one of the following option is
		36	+ specified: --add-mac, --add-cpe-id or --add-subnet.
		37	+ CVE-2017-14496 applies.
		38	+ Credit to Felix Wilhelm, Fermin J. Serna, Gabriel Campana
		39	+ and Kevin Hamacher of the Google Security Team for
		40	+ finding this.
		41	+
		42
		43	version 2.77
		44	Generate an error when configured with a CNAME loop,
		45	diff --git a/src/edns0.c b/src/edns0.c
		46	index f5b798c..95b74ee 100644
		47	--- a/src/edns0.c
		48	+++ b/src/edns0.c
		49	@@ -144,7 +144,7 @@ size_t add_pseudoheader(struct dns_header header, size_t plen, unsigned char l
		50	GETSHORT(len, p);
		51
		52	/* malformed option, delete the whole OPT RR and start again. */
		53	- if (i + len > rdlen)
		54	+ if (i + 4 + len > rdlen)
		55	{
		56	rdlen = 0;
		57	is_last = 0;
		58	@@ -193,6 +193,8 @@ size_t add_pseudoheader(struct dns_header header, size_t plen, unsigned char l
		59	ntohs(header->ancount) + ntohs(header->nscount) + ntohs(header->arcount),
		60	header, plen)))
		61	return plen;
		62	+ if (p + 11 > limit)
		63	+ return plen; /* Too big */
		64	p++ = 0; / empty name */
		65	PUTSHORT(T_OPT, p);
		66	PUTSHORT(udp_sz, p); /* max packet length, 512 if not given in EDNS0 header */
		67	@@ -204,6 +206,11 @@ size_t add_pseudoheader(struct dns_header header, size_t plen, unsigned char l
		68	/* Copy back any options */
		69	if (buff)
		70	{
		71	+ if (p + rdlen > limit)
		72	+ {
		73	+ free(buff);
		74	+ return plen; /* Too big */
		75	+ }
		76	memcpy(p, buff, rdlen);
		77	free(buff);
		78	p += rdlen;
		79	@@ -220,8 +227,12 @@ size_t add_pseudoheader(struct dns_header header, size_t plen, unsigned char l
		80	/* Add new option */
		81	if (optno != 0 && replace != 2)
		82	{
		83	+ if (p + 4 > limit)
		84	+ return plen; /* Too big */
		85	PUTSHORT(optno, p);
		86	PUTSHORT(optlen, p);
		87	+ if (p + optlen > limit)
		88	+ return plen; /* Too big */
		89	memcpy(p, opt, optlen);
		90	p += optlen;
		91	PUTSHORT(p - datap, lenp);
		92	--
		93	1.7.10.4
		94


diff --git a/recipes-networking/dnsmasq/dnsmasq_%.bbappend b/recipes-networking/dnsmasq/dnsmasq_%.bbappend index c0c4633..07f8a6c 100644 --- a/recipes-networking/dnsmasq/dnsmasq_%.bbappend +++ b/recipes-networking/dnsmasq/dnsmasq_%.bbappend
@@ -6,4 +6,5 @@ SRC_URI += "file://0001-CVE-2017-14491.patch \
6	file://CVE-2017-14492.patch \	6	file://CVE-2017-14492.patch \
7	file://CVE-2017-14493.patch \	7	file://CVE-2017-14493.patch \
8	file://CVE-2017-14494.patch \	8	file://CVE-2017-14494.patch \
		9	file://CVE-2017-14496.patch \
9	"	10	"