summaryrefslogtreecommitdiffstats
path: root/recipes-networking/dnsmasq/dnsmasq
diff options
context:
space:
mode:
Diffstat (limited to 'recipes-networking/dnsmasq/dnsmasq')
-rw-r--r--recipes-networking/dnsmasq/dnsmasq/0001-CVE-2017-14491.patch269
-rw-r--r--recipes-networking/dnsmasq/dnsmasq/0002-CVE-2017-14491.patch73
-rw-r--r--recipes-networking/dnsmasq/dnsmasq/CVE-2017-14492.patch57
-rw-r--r--recipes-networking/dnsmasq/dnsmasq/CVE-2017-14493.patch55
-rw-r--r--recipes-networking/dnsmasq/dnsmasq/CVE-2017-14494.patch55
-rw-r--r--recipes-networking/dnsmasq/dnsmasq/CVE-2017-14495.patch69
-rw-r--r--recipes-networking/dnsmasq/dnsmasq/CVE-2017-14496.patch94
7 files changed, 0 insertions, 672 deletions
diff --git a/recipes-networking/dnsmasq/dnsmasq/0001-CVE-2017-14491.patch b/recipes-networking/dnsmasq/dnsmasq/0001-CVE-2017-14491.patch
deleted file mode 100644
index 1eda591..0000000
--- a/recipes-networking/dnsmasq/dnsmasq/0001-CVE-2017-14491.patch
+++ /dev/null
@@ -1,269 +0,0 @@
1From 0549c73b7ea6b22a3c49beb4d432f185a81efcbc Mon Sep 17 00:00:00 2001
2From: Simon Kelley <simon@thekelleys.org.uk>
3Date: Mon, 25 Sep 2017 18:17:11 +0100
4Subject: [PATCH] Security fix, CVE-2017-14491 DNS heap buffer overflow.
5
6Fix heap overflow in DNS code. This is a potentially serious
7security hole. It allows an attacker who can make DNS
8requests to dnsmasq, and who controls the contents of
9a domain, which is thereby queried, to overflow
10(by 2 bytes) a heap buffer and either crash, or
11even take control of, dnsmasq.
12
13CVE: CVE-2017-14491
14Upstream-Status: Backport [src/dnsmasq.h patch failed, modified manually]
15
16Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
17
18diff -Nurp a/CHANGELOG b/CHANGELOG
19--- a/CHANGELOG 2016-05-18 16:51:54.000000000 +0200
20+++ b/CHANGELOG 2017-10-04 09:38:20.445498463 +0200
21@@ -123,6 +123,18 @@ version 2.75
22 dhcp-script is configured. Thanks to Adrian Davey for
23 reporting the bug and testing the fix.
24
25+ Fix heap overflow in DNS code. This is a potentially serious
26+ security hole. It allows an attacker who can make DNS
27+ requests to dnsmasq, and who controls the contents of
28+ a domain, which is thereby queried, to overflow
29+ (by 2 bytes) a heap buffer and either crash, or
30+ even take control of, dnsmasq.
31+ CVE-2017-14491 applies.
32+ Credit to Felix Wilhelm, Fermin J. Serna, Gabriel Campana
33+ and Kevin Hamacher of the Google Security Team for
34+ finding this.
35+
36+
37
38 version 2.74
39 Fix reversion in 2.73 where --conf-file would attempt to
40diff -Nurp a/src/dnsmasq.h b/src/dnsmasq.h
41--- a/src/dnsmasq.h 2016-05-18 16:51:54.000000000 +0200
42+++ b/src/dnsmasq.h 2017-10-04 09:39:39.366156718 +0200
43@@ -1161,7 +1161,7 @@ u32 rand32(void);
44 u64 rand64(void);
45 int legal_hostname(char *c);
46 char *canonicalise(char *s, int *nomem);
47-unsigned char *do_rfc1035_name(unsigned char *p, char *sval);
48+unsigned char *do_rfc1035_name(unsigned char *p, char *sval, char *limit);
49 void *safe_malloc(size_t size);
50 void safe_pipe(int *fd, int read_noblock);
51 void *whine_malloc(size_t size);
52diff -Nurp a/src/dnssec.c b/src/dnssec.c
53--- a/src/dnssec.c 2016-05-18 16:51:54.000000000 +0200
54+++ b/src/dnssec.c 2017-10-04 09:38:20.445498463 +0200
55@@ -2227,7 +2227,7 @@ size_t dnssec_generate_query(struct dns_
56
57 p = (unsigned char *)(header+1);
58
59- p = do_rfc1035_name(p, name);
60+ p = do_rfc1035_name(p, name, NULL);
61 *p++ = 0;
62 PUTSHORT(type, p);
63 PUTSHORT(class, p);
64diff -Nurp a/src/option.c b/src/option.c
65--- a/src/option.c 2016-05-18 16:51:54.000000000 +0200
66+++ b/src/option.c 2017-10-04 09:38:20.449498294 +0200
67@@ -1378,7 +1378,7 @@ static int parse_dhcp_opt(char *errstr,
68 }
69
70 p = newp;
71- end = do_rfc1035_name(p + len, dom);
72+ end = do_rfc1035_name(p + len, dom, NULL);
73 *end++ = 0;
74 len = end - p;
75 free(dom);
76diff -Nurp a/src/rfc1035.c b/src/rfc1035.c
77--- a/src/rfc1035.c 2016-05-18 16:51:54.000000000 +0200
78+++ b/src/rfc1035.c 2017-10-04 09:38:20.449498294 +0200
79@@ -1049,6 +1049,7 @@ int check_for_ignored_address(struct dns
80 return 0;
81 }
82
83+
84 int add_resource_record(struct dns_header *header, char *limit, int *truncp, int nameoffset, unsigned char **pp,
85 unsigned long ttl, int *offset, unsigned short type, unsigned short class, char *format, ...)
86 {
87@@ -1058,12 +1059,21 @@ int add_resource_record(struct dns_heade
88 unsigned short usval;
89 long lval;
90 char *sval;
91+#define CHECK_LIMIT(size) \
92+ if (limit && p + (size) > (unsigned char*)limit) \
93+ { \
94+ va_end(ap); \
95+ goto truncated; \
96+ }
97
98 if (truncp && *truncp)
99 return 0;
100-
101+
102 va_start(ap, format); /* make ap point to 1st unamed argument */
103-
104+
105+ /* nameoffset (1 or 2) + type (2) + class (2) + ttl (4) + 0 (2) */
106+ CHECK_LIMIT(12);
107+
108 if (nameoffset > 0)
109 {
110 PUTSHORT(nameoffset | 0xc000, p);
111@@ -1072,7 +1082,13 @@ int add_resource_record(struct dns_heade
112 {
113 char *name = va_arg(ap, char *);
114 if (name)
115- p = do_rfc1035_name(p, name);
116+ p = do_rfc1035_name(p, name, limit);
117+ if (!p)
118+ {
119+ va_end(ap);
120+ goto truncated;
121+ }
122+
123 if (nameoffset < 0)
124 {
125 PUTSHORT(-nameoffset | 0xc000, p);
126@@ -1093,6 +1109,7 @@ int add_resource_record(struct dns_heade
127 {
128 #ifdef HAVE_IPV6
129 case '6':
130+ CHECK_LIMIT(IN6ADDRSZ);
131 sval = va_arg(ap, char *);
132 memcpy(p, sval, IN6ADDRSZ);
133 p += IN6ADDRSZ;
134@@ -1100,36 +1117,47 @@ int add_resource_record(struct dns_heade
135 #endif
136
137 case '4':
138+ CHECK_LIMIT(INADDRSZ);
139 sval = va_arg(ap, char *);
140 memcpy(p, sval, INADDRSZ);
141 p += INADDRSZ;
142 break;
143
144 case 'b':
145+ CHECK_LIMIT(1);
146 usval = va_arg(ap, int);
147 *p++ = usval;
148 break;
149
150 case 's':
151+ CHECK_LIMIT(2);
152 usval = va_arg(ap, int);
153 PUTSHORT(usval, p);
154 break;
155
156 case 'l':
157+ CHECK_LIMIT(4);
158 lval = va_arg(ap, long);
159 PUTLONG(lval, p);
160 break;
161
162 case 'd':
163- /* get domain-name answer arg and store it in RDATA field */
164- if (offset)
165- *offset = p - (unsigned char *)header;
166- p = do_rfc1035_name(p, va_arg(ap, char *));
167- *p++ = 0;
168+ /* get domain-name answer arg and store it in RDATA field */
169+ if (offset)
170+ *offset = p - (unsigned char *)header;
171+ p = do_rfc1035_name(p, va_arg(ap, char *), limit);
172+ if (!p)
173+ {
174+ va_end(ap);
175+ goto truncated;
176+ }
177+ CHECK_LIMIT(1);
178+ *p++ = 0;
179 break;
180
181 case 't':
182 usval = va_arg(ap, int);
183+ CHECK_LIMIT(usval);
184 sval = va_arg(ap, char *);
185 if (usval != 0)
186 memcpy(p, sval, usval);
187@@ -1141,20 +1169,24 @@ int add_resource_record(struct dns_heade
188 usval = sval ? strlen(sval) : 0;
189 if (usval > 255)
190 usval = 255;
191+ CHECK_LIMIT(usval + 1);
192 *p++ = (unsigned char)usval;
193 memcpy(p, sval, usval);
194 p += usval;
195 break;
196 }
197
198+#undef CHECK_LIMIT
199 va_end(ap); /* clean up variable argument pointer */
200
201 j = p - sav - 2;
202- PUTSHORT(j, sav); /* Now, store real RDLength */
203+ /* this has already been checked against limit before */
204+ PUTSHORT(j, sav); /* Now, store real RDLength */
205
206 /* check for overflow of buffer */
207 if (limit && ((unsigned char *)limit - p) < 0)
208 {
209+truncated:
210 if (truncp)
211 *truncp = 1;
212 return 0;
213diff -Nurp a/src/rfc2131.c b/src/rfc2131.c
214--- a/src/rfc2131.c 2016-05-18 16:51:54.000000000 +0200
215+++ b/src/rfc2131.c 2017-10-04 09:38:20.449498294 +0200
216@@ -2419,10 +2419,10 @@ static void do_options(struct dhcp_conte
217
218 if (fqdn_flags & 0x04)
219 {
220- p = do_rfc1035_name(p, hostname);
221+ p = do_rfc1035_name(p, hostname, NULL);
222 if (domain)
223 {
224- p = do_rfc1035_name(p, domain);
225+ p = do_rfc1035_name(p, domain, NULL);
226 *p++ = 0;
227 }
228 }
229diff -Nurp a/src/rfc3315.c b/src/rfc3315.c
230--- a/src/rfc3315.c 2016-05-18 16:51:54.000000000 +0200
231+++ b/src/rfc3315.c 2017-10-04 09:38:20.449498294 +0200
232@@ -1472,10 +1472,10 @@ static struct dhcp_netid *add_options(st
233 if ((p = expand(len + 2)))
234 {
235 *(p++) = state->fqdn_flags;
236- p = do_rfc1035_name(p, state->hostname);
237+ p = do_rfc1035_name(p, state->hostname, NULL);
238 if (state->send_domain)
239 {
240- p = do_rfc1035_name(p, state->send_domain);
241+ p = do_rfc1035_name(p, state->send_domain, NULL);
242 *p = 0;
243 }
244 }
245diff -Nurp a/src/util.c b/src/util.c
246--- a/src/util.c 2016-05-18 16:51:54.000000000 +0200
247+++ b/src/util.c 2017-10-04 09:38:20.453498124 +0200
248@@ -218,15 +218,20 @@ char *canonicalise(char *in, int *nomem)
249 return ret;
250 }
251
252-unsigned char *do_rfc1035_name(unsigned char *p, char *sval)
253+unsigned char *do_rfc1035_name(unsigned char *p, char *sval, char *limit)
254 {
255 int j;
256
257 while (sval && *sval)
258 {
259+ if (limit && p + 1 > (unsigned char*)limit)
260+ return p;
261+
262 unsigned char *cp = p++;
263 for (j = 0; *sval && (*sval != '.'); sval++, j++)
264 {
265+ if (limit && p + 1 > (unsigned char*)limit)
266+ return p;
267 #ifdef HAVE_DNSSEC
268 if (option_bool(OPT_DNSSEC_VALID) && *sval == NAME_ESCAPE)
269 *p++ = (*(++sval))-1;
diff --git a/recipes-networking/dnsmasq/dnsmasq/0002-CVE-2017-14491.patch b/recipes-networking/dnsmasq/dnsmasq/0002-CVE-2017-14491.patch
deleted file mode 100644
index 6f27667..0000000
--- a/recipes-networking/dnsmasq/dnsmasq/0002-CVE-2017-14491.patch
+++ /dev/null
@@ -1,73 +0,0 @@
1From 62cb936cb7ad5f219715515ae7d32dd281a5aa1f Mon Sep 17 00:00:00 2001
2From: Simon Kelley <simon@thekelleys.org.uk>
3Date: Tue, 26 Sep 2017 22:00:11 +0100
4Subject: [PATCH] Security fix, CVE-2017-14491, DNS heap buffer overflow.
5
6Further fix to 0549c73b7ea6b22a3c49beb4d432f185a81efcbc
7Handles case when RR name is not a pointer to the question,
8only occurs for some auth-mode replies, therefore not
9detected by fuzzing (?)
10
11CVE: CVE-2017-14491
12Upstream-Status: Backport
13
14Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
15---
16 src/rfc1035.c | 27 +++++++++++++++------------
17 1 file changed, 15 insertions(+), 12 deletions(-)
18
19diff --git a/src/rfc1035.c b/src/rfc1035.c
20index 27af023..56ab88b 100644
21--- a/src/rfc1035.c
22+++ b/src/rfc1035.c
23@@ -1086,32 +1086,35 @@ int add_resource_record(struct dns_header *header, char *limit, int *truncp, int
24
25 va_start(ap, format); /* make ap point to 1st unamed argument */
26
27- /* nameoffset (1 or 2) + type (2) + class (2) + ttl (4) + 0 (2) */
28- CHECK_LIMIT(12);
29-
30 if (nameoffset > 0)
31 {
32+ CHECK_LIMIT(2);
33 PUTSHORT(nameoffset | 0xc000, p);
34 }
35 else
36 {
37 char *name = va_arg(ap, char *);
38- if (name)
39- p = do_rfc1035_name(p, name, limit);
40- if (!p)
41- {
42- va_end(ap);
43- goto truncated;
44- }
45-
46+ if (name && !(p = do_rfc1035_name(p, name, limit)))
47+ {
48+ va_end(ap);
49+ goto truncated;
50+ }
51+
52 if (nameoffset < 0)
53 {
54+ CHECK_LIMIT(2);
55 PUTSHORT(-nameoffset | 0xc000, p);
56 }
57 else
58- *p++ = 0;
59+ {
60+ CHECK_LIMIT(1);
61+ *p++ = 0;
62+ }
63 }
64
65+ /* type (2) + class (2) + ttl (4) + rdlen (2) */
66+ CHECK_LIMIT(10);
67+
68 PUTSHORT(type, p);
69 PUTSHORT(class, p);
70 PUTLONG(ttl, p); /* TTL */
71--
721.7.10.4
73
diff --git a/recipes-networking/dnsmasq/dnsmasq/CVE-2017-14492.patch b/recipes-networking/dnsmasq/dnsmasq/CVE-2017-14492.patch
deleted file mode 100644
index 5b66944..0000000
--- a/recipes-networking/dnsmasq/dnsmasq/CVE-2017-14492.patch
+++ /dev/null
@@ -1,57 +0,0 @@
1From 24036ea507862c7b7898b68289c8130f85599c10 Mon Sep 17 00:00:00 2001
2From: Simon Kelley <simon@thekelleys.org.uk>
3Date: Mon, 25 Sep 2017 18:47:15 +0100
4Subject: [PATCH] Security fix, CVE-2017-14492, DHCPv6 RA heap overflow.
5
6Fix heap overflow in IPv6 router advertisement code.
7This is a potentially serious security hole, as a
8crafted RA request can overflow a buffer and crash or
9control dnsmasq. Attacker must be on the local network.
10
11CVE: CVE-2017-14492
12Upstream-Status: Backport
13
14Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
15---
16 CHANGELOG | 10 +++++++++-
17 src/radv.c | 3 +++
18 2 files changed, 12 insertions(+), 1 deletion(-)
19
20diff --git a/CHANGELOG b/CHANGELOG
21index a7c2f35..df6c157 100644
22--- a/CHANGELOG
23+++ b/CHANGELOG
24@@ -35,7 +35,15 @@ version 2.78
25 and Kevin Hamacher of the Google Security Team for
26 finding this.
27
28-
29+ Fix heap overflow in IPv6 router advertisement code.
30+ This is a potentially serious security hole, as a
31+ crafted RA request can overflow a buffer and crash or
32+ control dnsmasq. Attacker must be on the local network.
33+ CVE-2017-14492 applies.
34+ Credit to Felix Wilhelm, Fermin J. Serna, Gabriel Campana
35+ and Kevin Hamacher of the Google Security Team for
36+ finding this.
37+
38
39 version 2.77
40 Generate an error when configured with a CNAME loop,
41diff --git a/src/radv.c b/src/radv.c
42index 1032189..9b7e52c 100644
43--- a/src/radv.c
44+++ b/src/radv.c
45@@ -198,6 +198,9 @@ void icmp6_packet(time_t now)
46 /* look for link-layer address option for logging */
47 if (sz >= 16 && packet[8] == ICMP6_OPT_SOURCE_MAC && (packet[9] * 8) + 8 <= sz)
48 {
49+ if ((packet[9] * 8 - 2) * 3 - 1 >= MAXDNAME) {
50+ return;
51+ }
52 print_mac(daemon->namebuff, &packet[10], (packet[9] * 8) - 2);
53 mac = daemon->namebuff;
54 }
55--
561.7.10.4
57
diff --git a/recipes-networking/dnsmasq/dnsmasq/CVE-2017-14493.patch b/recipes-networking/dnsmasq/dnsmasq/CVE-2017-14493.patch
deleted file mode 100644
index fedb825..0000000
--- a/recipes-networking/dnsmasq/dnsmasq/CVE-2017-14493.patch
+++ /dev/null
@@ -1,55 +0,0 @@
1From 3d4ff1ba8419546490b464418223132529514033 Mon Sep 17 00:00:00 2001
2From: Simon Kelley <simon@thekelleys.org.uk>
3Date: Mon, 25 Sep 2017 18:52:50 +0100
4Subject: [PATCH] Security fix, CVE-2017-14493, DHCPv6 - Stack buffer
5 overflow.
6
7Fix stack overflow in DHCPv6 code. An attacker who can send
8a DHCPv6 request to dnsmasq can overflow the stack frame and
9crash or control dnsmasq.
10
11CVE: CVE-2017-14493
12Upstream-Status: Backport
13
14Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
15---
16 CHANGELOG | 8 ++++++++
17 src/rfc3315.c | 3 +++
18 2 files changed, 11 insertions(+)
19
20diff --git a/CHANGELOG b/CHANGELOG
21index df6c157..c48378f 100644
22--- a/CHANGELOG
23+++ b/CHANGELOG
24@@ -43,6 +43,14 @@ version 2.78
25 Credit to Felix Wilhelm, Fermin J. Serna, Gabriel Campana
26 and Kevin Hamacher of the Google Security Team for
27 finding this.
28+
29+ Fix stack overflow in DHCPv6 code. An attacker who can send
30+ a DHCPv6 request to dnsmasq can overflow the stack frame and
31+ crash or control dnsmasq.
32+ CVE-2017-14493 applies.
33+ Credit to Felix Wilhelm, Fermin J. Serna, Gabriel Campana
34+ and Kevin Hamacher of the Google Security Team for
35+ finding this.
36
37
38 version 2.77
39diff --git a/src/rfc3315.c b/src/rfc3315.c
40index 1687931..920907c 100644
41--- a/src/rfc3315.c
42+++ b/src/rfc3315.c
43@@ -206,6 +206,9 @@ static int dhcp6_maybe_relay(struct state *state, void *inbuff, size_t sz,
44 /* RFC-6939 */
45 if ((opt = opt6_find(opts, end, OPTION6_CLIENT_MAC, 3)))
46 {
47+ if (opt6_len(opt) - 2 > DHCP_CHADDR_MAX) {
48+ return 0;
49+ }
50 state->mac_type = opt6_uint(opt, 0, 2);
51 state->mac_len = opt6_len(opt) - 2;
52 memcpy(&state->mac[0], opt6_ptr(opt, 2), state->mac_len);
53--
541.7.10.4
55
diff --git a/recipes-networking/dnsmasq/dnsmasq/CVE-2017-14494.patch b/recipes-networking/dnsmasq/dnsmasq/CVE-2017-14494.patch
deleted file mode 100644
index d32f713..0000000
--- a/recipes-networking/dnsmasq/dnsmasq/CVE-2017-14494.patch
+++ /dev/null
@@ -1,55 +0,0 @@
1From 33e3f1029c9ec6c63e430ff51063a6301d4b2262 Mon Sep 17 00:00:00 2001
2From: Simon Kelley <simon@thekelleys.org.uk>
3Date: Mon, 25 Sep 2017 20:05:11 +0100
4Subject: [PATCH] Security fix, CVE-2017-14494, Infoleak handling DHCPv6
5 forwarded requests.
6
7Fix information leak in DHCPv6. A crafted DHCPv6 packet can
8cause dnsmasq to forward memory from outside the packet
9buffer to a DHCPv6 server when acting as a relay.
10
11CVE: CVE-2017-14494
12Upstream-Status: Backport
13
14Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
15---
16 CHANGELOG | 8 ++++++++
17 src/rfc3315.c | 3 +++
18 2 files changed, 11 insertions(+)
19
20diff --git a/CHANGELOG b/CHANGELOG
21index c48378f..d1cc074 100644
22--- a/CHANGELOG
23+++ b/CHANGELOG
24@@ -51,6 +51,14 @@ version 2.78
25 Credit to Felix Wilhelm, Fermin J. Serna, Gabriel Campana
26 and Kevin Hamacher of the Google Security Team for
27 finding this.
28+
29+ Fix information leak in DHCPv6. A crafted DHCPv6 packet can
30+ cause dnsmasq to forward memory from outside the packet
31+ buffer to a DHCPv6 server when acting as a relay.
32+ CVE-2017-14494 applies.
33+ Credit to Felix Wilhelm, Fermin J. Serna, Gabriel Campana
34+ and Kevin Hamacher of the Google Security Team for
35+ finding this.
36
37
38 version 2.77
39diff --git a/src/rfc3315.c b/src/rfc3315.c
40index 920907c..4ca43e0 100644
41--- a/src/rfc3315.c
42+++ b/src/rfc3315.c
43@@ -216,6 +216,9 @@ static int dhcp6_maybe_relay(struct state *state, void *inbuff, size_t sz,
44
45 for (opt = opts; opt; opt = opt6_next(opt, end))
46 {
47+ if (opt6_ptr(opt, 0) + opt6_len(opt) >= end) {
48+ return 0;
49+ }
50 int o = new_opt6(opt6_type(opt));
51 if (opt6_type(opt) == OPTION6_RELAY_MSG)
52 {
53--
541.7.10.4
55
diff --git a/recipes-networking/dnsmasq/dnsmasq/CVE-2017-14495.patch b/recipes-networking/dnsmasq/dnsmasq/CVE-2017-14495.patch
deleted file mode 100644
index ba176a8..0000000
--- a/recipes-networking/dnsmasq/dnsmasq/CVE-2017-14495.patch
+++ /dev/null
@@ -1,69 +0,0 @@
1From 51eadb692a5123b9838e5a68ecace3ac579a3a45 Mon Sep 17 00:00:00 2001
2From: Simon Kelley <simon@thekelleys.org.uk>
3Date: Mon, 25 Sep 2017 20:16:50 +0100
4Subject: [PATCH] Security fix, CVE-2017-14495, OOM in DNS response creation.
5
6Fix out-of-memory Dos vulnerability. An attacker which can
7send malicious DNS queries to dnsmasq can trigger memory
8allocations in the add_pseudoheader function
9The allocated memory is never freed which leads to a DoS
10through memory exhaustion. dnsmasq is vulnerable only
11if one of the following option is specified:
12--add-mac, --add-cpe-id or --add-subnet.
13
14CVE: CVE-2017-14495
15Upstream-Status: Backport
16
17Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
18---
19 CHANGELOG | 12 ++++++++++++
20 src/edns0.c | 8 +++++++-
21 2 files changed, 19 insertions(+), 1 deletion(-)
22
23diff --git a/CHANGELOG b/CHANGELOG
24index 8fe00ed..9523329 100644
25--- a/CHANGELOG
26+++ b/CHANGELOG
27@@ -70,6 +70,18 @@ version 2.78
28 Credit to Felix Wilhelm, Fermin J. Serna, Gabriel Campana
29 and Kevin Hamacher of the Google Security Team for
30 finding this.
31+
32+ Fix out-of-memory Dos vulnerability. An attacker which can
33+ send malicious DNS queries to dnsmasq can trigger memory
34+ allocations in the add_pseudoheader function
35+ The allocated memory is never freed which leads to a DoS
36+ through memory exhaustion. dnsmasq is vulnerable only
37+ if one of the following option is specified:
38+ --add-mac, --add-cpe-id or --add-subnet.
39+ CVE-2017-14495 applies.
40+ Credit to Felix Wilhelm, Fermin J. Serna, Gabriel Campana
41+ and Kevin Hamacher of the Google Security Team for
42+ finding this.
43
44
45 version 2.77
46diff --git a/src/edns0.c b/src/edns0.c
47index 95b74ee..89b2692 100644
48--- a/src/edns0.c
49+++ b/src/edns0.c
50@@ -192,9 +192,15 @@ size_t add_pseudoheader(struct dns_header *header, size_t plen, unsigned char *l
51 !(p = skip_section(p,
52 ntohs(header->ancount) + ntohs(header->nscount) + ntohs(header->arcount),
53 header, plen)))
54+ {
55+ free(buff);
56 return plen;
57+ }
58 if (p + 11 > limit)
59- return plen; /* Too big */
60+ {
61+ free(buff);
62+ return plen; /* Too big */
63+ }
64 *p++ = 0; /* empty name */
65 PUTSHORT(T_OPT, p);
66 PUTSHORT(udp_sz, p); /* max packet length, 512 if not given in EDNS0 header */
67--
681.7.10.4
69
diff --git a/recipes-networking/dnsmasq/dnsmasq/CVE-2017-14496.patch b/recipes-networking/dnsmasq/dnsmasq/CVE-2017-14496.patch
deleted file mode 100644
index 333a890..0000000
--- a/recipes-networking/dnsmasq/dnsmasq/CVE-2017-14496.patch
+++ /dev/null
@@ -1,94 +0,0 @@
1From 897c113fda0886a28a986cc6ba17bb93bd6cb1c7 Mon Sep 17 00:00:00 2001
2From: Simon Kelley <simon@thekelleys.org.uk>
3Date: Mon, 25 Sep 2017 20:11:58 +0100
4Subject: [PATCH] Security fix, CVE-2017-14496, Integer underflow in DNS
5 response creation.
6
7Fix DoS in DNS. Invalid boundary checks in the
8add_pseudoheader function allows a memcpy call with negative
9size An attacker which can send malicious DNS queries
10to dnsmasq can trigger a DoS remotely.
11dnsmasq is vulnerable only if one of the following option is
12specified: --add-mac, --add-cpe-id or --add-subnet.
13
14CVE: CVE-2017-14496
15Upstream-Status: Backport
16
17Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
18---
19 CHANGELOG | 11 +++++++++++
20 src/edns0.c | 13 ++++++++++++-
21 2 files changed, 23 insertions(+), 1 deletion(-)
22
23diff --git a/CHANGELOG b/CHANGELOG
24index d1cc074..8fe00ed 100644
25--- a/CHANGELOG
26+++ b/CHANGELOG
27@@ -60,6 +60,17 @@ version 2.78
28 and Kevin Hamacher of the Google Security Team for
29 finding this.
30
31+ Fix DoS in DNS. Invalid boundary checks in the
32+ add_pseudoheader function allows a memcpy call with negative
33+ size An attacker which can send malicious DNS queries
34+ to dnsmasq can trigger a DoS remotely.
35+ dnsmasq is vulnerable only if one of the following option is
36+ specified: --add-mac, --add-cpe-id or --add-subnet.
37+ CVE-2017-14496 applies.
38+ Credit to Felix Wilhelm, Fermin J. Serna, Gabriel Campana
39+ and Kevin Hamacher of the Google Security Team for
40+ finding this.
41+
42
43 version 2.77
44 Generate an error when configured with a CNAME loop,
45diff --git a/src/edns0.c b/src/edns0.c
46index f5b798c..95b74ee 100644
47--- a/src/edns0.c
48+++ b/src/edns0.c
49@@ -144,7 +144,7 @@ size_t add_pseudoheader(struct dns_header *header, size_t plen, unsigned char *l
50 GETSHORT(len, p);
51
52 /* malformed option, delete the whole OPT RR and start again. */
53- if (i + len > rdlen)
54+ if (i + 4 + len > rdlen)
55 {
56 rdlen = 0;
57 is_last = 0;
58@@ -193,6 +193,8 @@ size_t add_pseudoheader(struct dns_header *header, size_t plen, unsigned char *l
59 ntohs(header->ancount) + ntohs(header->nscount) + ntohs(header->arcount),
60 header, plen)))
61 return plen;
62+ if (p + 11 > limit)
63+ return plen; /* Too big */
64 *p++ = 0; /* empty name */
65 PUTSHORT(T_OPT, p);
66 PUTSHORT(udp_sz, p); /* max packet length, 512 if not given in EDNS0 header */
67@@ -204,6 +206,11 @@ size_t add_pseudoheader(struct dns_header *header, size_t plen, unsigned char *l
68 /* Copy back any options */
69 if (buff)
70 {
71+ if (p + rdlen > limit)
72+ {
73+ free(buff);
74+ return plen; /* Too big */
75+ }
76 memcpy(p, buff, rdlen);
77 free(buff);
78 p += rdlen;
79@@ -220,8 +227,12 @@ size_t add_pseudoheader(struct dns_header *header, size_t plen, unsigned char *l
80 /* Add new option */
81 if (optno != 0 && replace != 2)
82 {
83+ if (p + 4 > limit)
84+ return plen; /* Too big */
85 PUTSHORT(optno, p);
86 PUTSHORT(optlen, p);
87+ if (p + optlen > limit)
88+ return plen; /* Too big */
89 memcpy(p, opt, optlen);
90 p += optlen;
91 PUTSHORT(p - datap, lenp);
92--
931.7.10.4
94
generated by cgit v1.2.3-54-g00ecf (git 2.39.0) at 2024-06-02 02:59:38 +0000