1 files changed, 55 insertions, 0 deletions
diff --git a/recipes-networking/dnsmasq/dnsmasq/CVE-2017-14493.patch b/recipes-networking/dnsmasq/dnsmasq/CVE-2017-14493.patch
new file mode 100644
index 0000000..fedb825
--- /dev/null
+++ b/recipes-networking/dnsmasq/dnsmasq/CVE-2017-14493.patch
@@ -0,0 +1,55 @@
+From 3d4ff1ba8419546490b464418223132529514033 Mon Sep 17 00:00:00 2001
+From: Simon Kelley <simon@thekelleys.org.uk>
+Date: Mon, 25 Sep 2017 18:52:50 +0100
+Subject: [PATCH] Security fix, CVE-2017-14493, DHCPv6 - Stack buffer
+ overflow.
+Fix stack overflow in DHCPv6 code. An attacker who can send
+a DHCPv6 request to dnsmasq can overflow the stack frame and
+crash or control dnsmasq.
+CVE: CVE-2017-14493
+Upstream-Status: Backport
+Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
+---
+ CHANGELOG     |    8 ++++++++
+ src/rfc3315.c |    3 +++
+ 2 files changed, 11 insertions(+)
+diff --git a/CHANGELOG b/CHANGELOG
+index df6c157..c48378f 100644
+--- a/CHANGELOG
+++ b/CHANGELOG
+@@ -43,6 +43,14 @@ version 2.78
+         Credit to Felix Wilhelm, Fermin J. Serna, Gabriel Campana
+        and Kevin Hamacher of the Google Security Team for
+        finding this.
+
+       Fix stack overflow in DHCPv6 code. An attacker who can send
+       a DHCPv6 request to dnsmasq can overflow the stack frame and
+       crash or control dnsmasq.
+       CVE-2017-14493 applies.
+       Credit to Felix Wilhelm, Fermin J. Serna, Gabriel Campana
+       and Kevin Hamacher of the Google Security Team for
+       finding this.
+        
+        
+ version 2.77
+diff --git a/src/rfc3315.c b/src/rfc3315.c
+index 1687931..920907c 100644
+--- a/src/rfc3315.c
+++ b/src/rfc3315.c
+@@ -206,6 +206,9 @@ static int dhcp6_maybe_relay(struct state *state, void *inbuff, size_t sz,
+   /* RFC-6939 */
+   if ((opt = opt6_find(opts, end, OPTION6_CLIENT_MAC, 3)))
+     {
+      if (opt6_len(opt) - 2 > DHCP_CHADDR_MAX) {
+        return 0;
+      }
+       state->mac_type = opt6_uint(opt, 0, 2);
+       state->mac_len = opt6_len(opt) - 2;
+       memcpy(&state->mac[0], opt6_ptr(opt, 2), state->mac_len);
+-- 
+1.7.10.4

diff --git a/recipes-networking/dnsmasq/dnsmasq/CVE-2017-14493.patch b/recipes-networking/dnsmasq/dnsmasq/CVE-2017-14493.patch new file mode 100644 index 0000000..fedb825 --- /dev/null +++ b/recipes-networking/dnsmasq/dnsmasq/CVE-2017-14493.patch
@@ -0,0 +1,55 @@
	1	From 3d4ff1ba8419546490b464418223132529514033 Mon Sep 17 00:00:00 2001
	2	From: Simon Kelley <simon@thekelleys.org.uk>
	3	Date: Mon, 25 Sep 2017 18:52:50 +0100
	4	Subject: [PATCH] Security fix, CVE-2017-14493, DHCPv6 - Stack buffer
	5	overflow.
	6
	7	Fix stack overflow in DHCPv6 code. An attacker who can send
	8	a DHCPv6 request to dnsmasq can overflow the stack frame and
	9	crash or control dnsmasq.
	10
	11	CVE: CVE-2017-14493
	12	Upstream-Status: Backport
	13
	14	Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
	15	---
	16	CHANGELOG \| 8 ++++++++
	17	src/rfc3315.c \| 3 +++
	18	2 files changed, 11 insertions(+)
	19
	20	diff --git a/CHANGELOG b/CHANGELOG
	21	index df6c157..c48378f 100644
	22	--- a/CHANGELOG
	23	+++ b/CHANGELOG
	24	@@ -43,6 +43,14 @@ version 2.78
	25	Credit to Felix Wilhelm, Fermin J. Serna, Gabriel Campana
	26	and Kevin Hamacher of the Google Security Team for
	27	finding this.
	28	+
	29	+ Fix stack overflow in DHCPv6 code. An attacker who can send
	30	+ a DHCPv6 request to dnsmasq can overflow the stack frame and
	31	+ crash or control dnsmasq.
	32	+ CVE-2017-14493 applies.
	33	+ Credit to Felix Wilhelm, Fermin J. Serna, Gabriel Campana
	34	+ and Kevin Hamacher of the Google Security Team for
	35	+ finding this.
	36
	37
	38	version 2.77
	39	diff --git a/src/rfc3315.c b/src/rfc3315.c
	40	index 1687931..920907c 100644
	41	--- a/src/rfc3315.c
	42	+++ b/src/rfc3315.c
	43	@@ -206,6 +206,9 @@ static int dhcp6_maybe_relay(struct state state, void inbuff, size_t sz,
	44	/* RFC-6939 */
	45	if ((opt = opt6_find(opts, end, OPTION6_CLIENT_MAC, 3)))
	46	{
	47	+ if (opt6_len(opt) - 2 > DHCP_CHADDR_MAX) {
	48	+ return 0;
	49	+ }
	50	state->mac_type = opt6_uint(opt, 0, 2);
	51	state->mac_len = opt6_len(opt) - 2;
	52	memcpy(&state->mac[0], opt6_ptr(opt, 2), state->mac_len);
	53	--
	54	1.7.10.4
	55