1 files changed, 0 insertions, 94 deletions
diff --git a/recipes-networking/dnsmasq/dnsmasq/CVE-2017-14496.patch b/recipes-networking/dnsmasq/dnsmasq/CVE-2017-14496.patch
deleted file mode 100644
index 333a890..0000000
--- a/recipes-networking/dnsmasq/dnsmasq/CVE-2017-14496.patch
+++ /dev/null
@@ -1,94 +0,0 @@
-From 897c113fda0886a28a986cc6ba17bb93bd6cb1c7 Mon Sep 17 00:00:00 2001
-From: Simon Kelley <simon@thekelleys.org.uk>
-Date: Mon, 25 Sep 2017 20:11:58 +0100
-Subject: [PATCH] Security fix, CVE-2017-14496, Integer underflow in DNS
- response creation.
-Fix DoS in DNS. Invalid boundary checks in the
-add_pseudoheader function allows a memcpy call with negative
-size An attacker which can send malicious DNS queries
-to dnsmasq can trigger a DoS remotely.
-dnsmasq is vulnerable only if one of the following option is
-specified: --add-mac, --add-cpe-id or --add-subnet.
-CVE: CVE-2017-14496
-Upstream-Status: Backport
-Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
---
- CHANGELOG   |   11 +++++++++++
- src/edns0.c |   13 ++++++++++++-
- 2 files changed, 23 insertions(+), 1 deletion(-)
-diff --git a/CHANGELOG b/CHANGELOG
-index d1cc074..8fe00ed 100644
--- a/CHANGELOG
-+++ b/CHANGELOG
-@@ -60,6 +60,17 @@ version 2.78
-        and Kevin Hamacher of the Google Security Team for
-        finding this.
-        
-+       Fix DoS in DNS. Invalid boundary checks in the
-+       add_pseudoheader function allows a memcpy call with negative
-+       size An attacker which can send malicious DNS queries
-+       to dnsmasq can trigger a DoS remotely.
-+       dnsmasq is vulnerable only if one of the following option is
-+       specified: --add-mac, --add-cpe-id or --add-subnet.
-+       CVE-2017-14496 applies.
-+       Credit to Felix Wilhelm, Fermin J. Serna, Gabriel Campana
-+       and Kevin Hamacher of the Google Security Team for
-+       finding this.
-+       
-        
- version 2.77
-        Generate an error when configured with a CNAME loop,
-diff --git a/src/edns0.c b/src/edns0.c
-index f5b798c..95b74ee 100644
--- a/src/edns0.c
-+++ b/src/edns0.c
-@@ -144,7 +144,7 @@ size_t add_pseudoheader(struct dns_header *header, size_t plen, unsigned char *l
-          GETSHORT(len, p);
-          
-          /* malformed option, delete the whole OPT RR and start again. */
-         if (i + len > rdlen)
-+         if (i + 4 + len > rdlen)
-            {
-              rdlen = 0;
-              is_last = 0;
-@@ -193,6 +193,8 @@ size_t add_pseudoheader(struct dns_header *header, size_t plen, unsigned char *l
-                             ntohs(header->ancount) + ntohs(header->nscount) + ntohs(header->arcount), 
-                             header, plen)))
-        return plen;
-+      if (p + 11 > limit)
-+       return plen; /* Too big */
-       *p++ = 0; /* empty name */
-       PUTSHORT(T_OPT, p);
-       PUTSHORT(udp_sz, p); /* max packet length, 512 if not given in EDNS0 header */
-@@ -204,6 +206,11 @@ size_t add_pseudoheader(struct dns_header *header, size_t plen, unsigned char *l
-       /* Copy back any options */
-       if (buff)
-        {
-+          if (p + rdlen > limit)
-+          {
-+            free(buff);
-+            return plen; /* Too big */
-+          }
-          memcpy(p, buff, rdlen);
-          free(buff);
-          p += rdlen;
-@@ -220,8 +227,12 @@ size_t add_pseudoheader(struct dns_header *header, size_t plen, unsigned char *l
-   /* Add new option */
-   if (optno != 0 && replace != 2)
-     {
-+      if (p + 4 > limit)
-+       return plen; /* Too big */
-       PUTSHORT(optno, p);
-       PUTSHORT(optlen, p);
-+      if (p + optlen > limit)
-+       return plen; /* Too big */
-       memcpy(p, opt, optlen);
-       p += optlen;  
-       PUTSHORT(p - datap, lenp);
-- 
-1.7.10.4

diff --git a/recipes-networking/dnsmasq/dnsmasq/CVE-2017-14496.patch b/recipes-networking/dnsmasq/dnsmasq/CVE-2017-14496.patch deleted file mode 100644 index 333a890..0000000 --- a/recipes-networking/dnsmasq/dnsmasq/CVE-2017-14496.patch +++ /dev/null
@@ -1,94 +0,0 @@
1	From 897c113fda0886a28a986cc6ba17bb93bd6cb1c7 Mon Sep 17 00:00:00 2001
2	From: Simon Kelley <simon@thekelleys.org.uk>
3	Date: Mon, 25 Sep 2017 20:11:58 +0100
4	Subject: [PATCH] Security fix, CVE-2017-14496, Integer underflow in DNS
5	response creation.
6
7	Fix DoS in DNS. Invalid boundary checks in the
8	add_pseudoheader function allows a memcpy call with negative
9	size An attacker which can send malicious DNS queries
10	to dnsmasq can trigger a DoS remotely.
11	dnsmasq is vulnerable only if one of the following option is
12	specified: --add-mac, --add-cpe-id or --add-subnet.
13
14	CVE: CVE-2017-14496
15	Upstream-Status: Backport
16
17	Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
18	---
19	CHANGELOG \| 11 +++++++++++
20	src/edns0.c \| 13 ++++++++++++-
21	2 files changed, 23 insertions(+), 1 deletion(-)
22
23	diff --git a/CHANGELOG b/CHANGELOG
24	index d1cc074..8fe00ed 100644
25	--- a/CHANGELOG
26	+++ b/CHANGELOG
27	@@ -60,6 +60,17 @@ version 2.78
28	and Kevin Hamacher of the Google Security Team for
29	finding this.
30
31	+ Fix DoS in DNS. Invalid boundary checks in the
32	+ add_pseudoheader function allows a memcpy call with negative
33	+ size An attacker which can send malicious DNS queries
34	+ to dnsmasq can trigger a DoS remotely.
35	+ dnsmasq is vulnerable only if one of the following option is
36	+ specified: --add-mac, --add-cpe-id or --add-subnet.
37	+ CVE-2017-14496 applies.
38	+ Credit to Felix Wilhelm, Fermin J. Serna, Gabriel Campana
39	+ and Kevin Hamacher of the Google Security Team for
40	+ finding this.
41	+
42
43	version 2.77
44	Generate an error when configured with a CNAME loop,
45	diff --git a/src/edns0.c b/src/edns0.c
46	index f5b798c..95b74ee 100644
47	--- a/src/edns0.c
48	+++ b/src/edns0.c
49	@@ -144,7 +144,7 @@ size_t add_pseudoheader(struct dns_header header, size_t plen, unsigned char l
50	GETSHORT(len, p);
51
52	/* malformed option, delete the whole OPT RR and start again. */
53	- if (i + len > rdlen)
54	+ if (i + 4 + len > rdlen)
55	{
56	rdlen = 0;
57	is_last = 0;
58	@@ -193,6 +193,8 @@ size_t add_pseudoheader(struct dns_header header, size_t plen, unsigned char l
59	ntohs(header->ancount) + ntohs(header->nscount) + ntohs(header->arcount),
60	header, plen)))
61	return plen;
62	+ if (p + 11 > limit)
63	+ return plen; /* Too big */
64	p++ = 0; / empty name */
65	PUTSHORT(T_OPT, p);
66	PUTSHORT(udp_sz, p); /* max packet length, 512 if not given in EDNS0 header */
67	@@ -204,6 +206,11 @@ size_t add_pseudoheader(struct dns_header header, size_t plen, unsigned char l
68	/* Copy back any options */
69	if (buff)
70	{
71	+ if (p + rdlen > limit)
72	+ {
73	+ free(buff);
74	+ return plen; /* Too big */
75	+ }
76	memcpy(p, buff, rdlen);
77	free(buff);
78	p += rdlen;
79	@@ -220,8 +227,12 @@ size_t add_pseudoheader(struct dns_header header, size_t plen, unsigned char l
80	/* Add new option */
81	if (optno != 0 && replace != 2)
82	{
83	+ if (p + 4 > limit)
84	+ return plen; /* Too big */
85	PUTSHORT(optno, p);
86	PUTSHORT(optlen, p);
87	+ if (p + optlen > limit)
88	+ return plen; /* Too big */
89	memcpy(p, opt, optlen);
90	p += optlen;
91	PUTSHORT(p - datap, lenp);
92	--
93	1.7.10.4
94