diff options
Diffstat (limited to 'recipes-networking/dnsmasq/dnsmasq/CVE-2017-14492.patch')
-rw-r--r-- | recipes-networking/dnsmasq/dnsmasq/CVE-2017-14492.patch | 57 |
1 files changed, 57 insertions, 0 deletions
diff --git a/recipes-networking/dnsmasq/dnsmasq/CVE-2017-14492.patch b/recipes-networking/dnsmasq/dnsmasq/CVE-2017-14492.patch new file mode 100644 index 0000000..5b66944 --- /dev/null +++ b/recipes-networking/dnsmasq/dnsmasq/CVE-2017-14492.patch | |||
@@ -0,0 +1,57 @@ | |||
1 | From 24036ea507862c7b7898b68289c8130f85599c10 Mon Sep 17 00:00:00 2001 | ||
2 | From: Simon Kelley <simon@thekelleys.org.uk> | ||
3 | Date: Mon, 25 Sep 2017 18:47:15 +0100 | ||
4 | Subject: [PATCH] Security fix, CVE-2017-14492, DHCPv6 RA heap overflow. | ||
5 | |||
6 | Fix heap overflow in IPv6 router advertisement code. | ||
7 | This is a potentially serious security hole, as a | ||
8 | crafted RA request can overflow a buffer and crash or | ||
9 | control dnsmasq. Attacker must be on the local network. | ||
10 | |||
11 | CVE: CVE-2017-14492 | ||
12 | Upstream-Status: Backport | ||
13 | |||
14 | Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com> | ||
15 | --- | ||
16 | CHANGELOG | 10 +++++++++- | ||
17 | src/radv.c | 3 +++ | ||
18 | 2 files changed, 12 insertions(+), 1 deletion(-) | ||
19 | |||
20 | diff --git a/CHANGELOG b/CHANGELOG | ||
21 | index a7c2f35..df6c157 100644 | ||
22 | --- a/CHANGELOG | ||
23 | +++ b/CHANGELOG | ||
24 | @@ -35,7 +35,15 @@ version 2.78 | ||
25 | and Kevin Hamacher of the Google Security Team for | ||
26 | finding this. | ||
27 | |||
28 | - | ||
29 | + Fix heap overflow in IPv6 router advertisement code. | ||
30 | + This is a potentially serious security hole, as a | ||
31 | + crafted RA request can overflow a buffer and crash or | ||
32 | + control dnsmasq. Attacker must be on the local network. | ||
33 | + CVE-2017-14492 applies. | ||
34 | + Credit to Felix Wilhelm, Fermin J. Serna, Gabriel Campana | ||
35 | + and Kevin Hamacher of the Google Security Team for | ||
36 | + finding this. | ||
37 | + | ||
38 | |||
39 | version 2.77 | ||
40 | Generate an error when configured with a CNAME loop, | ||
41 | diff --git a/src/radv.c b/src/radv.c | ||
42 | index 1032189..9b7e52c 100644 | ||
43 | --- a/src/radv.c | ||
44 | +++ b/src/radv.c | ||
45 | @@ -198,6 +198,9 @@ void icmp6_packet(time_t now) | ||
46 | /* look for link-layer address option for logging */ | ||
47 | if (sz >= 16 && packet[8] == ICMP6_OPT_SOURCE_MAC && (packet[9] * 8) + 8 <= sz) | ||
48 | { | ||
49 | + if ((packet[9] * 8 - 2) * 3 - 1 >= MAXDNAME) { | ||
50 | + return; | ||
51 | + } | ||
52 | print_mac(daemon->namebuff, &packet[10], (packet[9] * 8) - 2); | ||
53 | mac = daemon->namebuff; | ||
54 | } | ||
55 | -- | ||
56 | 1.7.10.4 | ||
57 | |||