diff options
Diffstat (limited to 'recipes-networking/dnsmasq/dnsmasq')
7 files changed, 0 insertions, 672 deletions
diff --git a/recipes-networking/dnsmasq/dnsmasq/0001-CVE-2017-14491.patch b/recipes-networking/dnsmasq/dnsmasq/0001-CVE-2017-14491.patch deleted file mode 100644 index 1eda591..0000000 --- a/recipes-networking/dnsmasq/dnsmasq/0001-CVE-2017-14491.patch +++ /dev/null | |||
@@ -1,269 +0,0 @@ | |||
1 | From 0549c73b7ea6b22a3c49beb4d432f185a81efcbc Mon Sep 17 00:00:00 2001 | ||
2 | From: Simon Kelley <simon@thekelleys.org.uk> | ||
3 | Date: Mon, 25 Sep 2017 18:17:11 +0100 | ||
4 | Subject: [PATCH] Security fix, CVE-2017-14491 DNS heap buffer overflow. | ||
5 | |||
6 | Fix heap overflow in DNS code. This is a potentially serious | ||
7 | security hole. It allows an attacker who can make DNS | ||
8 | requests to dnsmasq, and who controls the contents of | ||
9 | a domain, which is thereby queried, to overflow | ||
10 | (by 2 bytes) a heap buffer and either crash, or | ||
11 | even take control of, dnsmasq. | ||
12 | |||
13 | CVE: CVE-2017-14491 | ||
14 | Upstream-Status: Backport [src/dnsmasq.h patch failed, modified manually] | ||
15 | |||
16 | Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com> | ||
17 | |||
18 | diff -Nurp a/CHANGELOG b/CHANGELOG | ||
19 | --- a/CHANGELOG 2016-05-18 16:51:54.000000000 +0200 | ||
20 | +++ b/CHANGELOG 2017-10-04 09:38:20.445498463 +0200 | ||
21 | @@ -123,6 +123,18 @@ version 2.75 | ||
22 | dhcp-script is configured. Thanks to Adrian Davey for | ||
23 | reporting the bug and testing the fix. | ||
24 | |||
25 | + Fix heap overflow in DNS code. This is a potentially serious | ||
26 | + security hole. It allows an attacker who can make DNS | ||
27 | + requests to dnsmasq, and who controls the contents of | ||
28 | + a domain, which is thereby queried, to overflow | ||
29 | + (by 2 bytes) a heap buffer and either crash, or | ||
30 | + even take control of, dnsmasq. | ||
31 | + CVE-2017-14491 applies. | ||
32 | + Credit to Felix Wilhelm, Fermin J. Serna, Gabriel Campana | ||
33 | + and Kevin Hamacher of the Google Security Team for | ||
34 | + finding this. | ||
35 | + | ||
36 | + | ||
37 | |||
38 | version 2.74 | ||
39 | Fix reversion in 2.73 where --conf-file would attempt to | ||
40 | diff -Nurp a/src/dnsmasq.h b/src/dnsmasq.h | ||
41 | --- a/src/dnsmasq.h 2016-05-18 16:51:54.000000000 +0200 | ||
42 | +++ b/src/dnsmasq.h 2017-10-04 09:39:39.366156718 +0200 | ||
43 | @@ -1161,7 +1161,7 @@ u32 rand32(void); | ||
44 | u64 rand64(void); | ||
45 | int legal_hostname(char *c); | ||
46 | char *canonicalise(char *s, int *nomem); | ||
47 | -unsigned char *do_rfc1035_name(unsigned char *p, char *sval); | ||
48 | +unsigned char *do_rfc1035_name(unsigned char *p, char *sval, char *limit); | ||
49 | void *safe_malloc(size_t size); | ||
50 | void safe_pipe(int *fd, int read_noblock); | ||
51 | void *whine_malloc(size_t size); | ||
52 | diff -Nurp a/src/dnssec.c b/src/dnssec.c | ||
53 | --- a/src/dnssec.c 2016-05-18 16:51:54.000000000 +0200 | ||
54 | +++ b/src/dnssec.c 2017-10-04 09:38:20.445498463 +0200 | ||
55 | @@ -2227,7 +2227,7 @@ size_t dnssec_generate_query(struct dns_ | ||
56 | |||
57 | p = (unsigned char *)(header+1); | ||
58 | |||
59 | - p = do_rfc1035_name(p, name); | ||
60 | + p = do_rfc1035_name(p, name, NULL); | ||
61 | *p++ = 0; | ||
62 | PUTSHORT(type, p); | ||
63 | PUTSHORT(class, p); | ||
64 | diff -Nurp a/src/option.c b/src/option.c | ||
65 | --- a/src/option.c 2016-05-18 16:51:54.000000000 +0200 | ||
66 | +++ b/src/option.c 2017-10-04 09:38:20.449498294 +0200 | ||
67 | @@ -1378,7 +1378,7 @@ static int parse_dhcp_opt(char *errstr, | ||
68 | } | ||
69 | |||
70 | p = newp; | ||
71 | - end = do_rfc1035_name(p + len, dom); | ||
72 | + end = do_rfc1035_name(p + len, dom, NULL); | ||
73 | *end++ = 0; | ||
74 | len = end - p; | ||
75 | free(dom); | ||
76 | diff -Nurp a/src/rfc1035.c b/src/rfc1035.c | ||
77 | --- a/src/rfc1035.c 2016-05-18 16:51:54.000000000 +0200 | ||
78 | +++ b/src/rfc1035.c 2017-10-04 09:38:20.449498294 +0200 | ||
79 | @@ -1049,6 +1049,7 @@ int check_for_ignored_address(struct dns | ||
80 | return 0; | ||
81 | } | ||
82 | |||
83 | + | ||
84 | int add_resource_record(struct dns_header *header, char *limit, int *truncp, int nameoffset, unsigned char **pp, | ||
85 | unsigned long ttl, int *offset, unsigned short type, unsigned short class, char *format, ...) | ||
86 | { | ||
87 | @@ -1058,12 +1059,21 @@ int add_resource_record(struct dns_heade | ||
88 | unsigned short usval; | ||
89 | long lval; | ||
90 | char *sval; | ||
91 | +#define CHECK_LIMIT(size) \ | ||
92 | + if (limit && p + (size) > (unsigned char*)limit) \ | ||
93 | + { \ | ||
94 | + va_end(ap); \ | ||
95 | + goto truncated; \ | ||
96 | + } | ||
97 | |||
98 | if (truncp && *truncp) | ||
99 | return 0; | ||
100 | - | ||
101 | + | ||
102 | va_start(ap, format); /* make ap point to 1st unamed argument */ | ||
103 | - | ||
104 | + | ||
105 | + /* nameoffset (1 or 2) + type (2) + class (2) + ttl (4) + 0 (2) */ | ||
106 | + CHECK_LIMIT(12); | ||
107 | + | ||
108 | if (nameoffset > 0) | ||
109 | { | ||
110 | PUTSHORT(nameoffset | 0xc000, p); | ||
111 | @@ -1072,7 +1082,13 @@ int add_resource_record(struct dns_heade | ||
112 | { | ||
113 | char *name = va_arg(ap, char *); | ||
114 | if (name) | ||
115 | - p = do_rfc1035_name(p, name); | ||
116 | + p = do_rfc1035_name(p, name, limit); | ||
117 | + if (!p) | ||
118 | + { | ||
119 | + va_end(ap); | ||
120 | + goto truncated; | ||
121 | + } | ||
122 | + | ||
123 | if (nameoffset < 0) | ||
124 | { | ||
125 | PUTSHORT(-nameoffset | 0xc000, p); | ||
126 | @@ -1093,6 +1109,7 @@ int add_resource_record(struct dns_heade | ||
127 | { | ||
128 | #ifdef HAVE_IPV6 | ||
129 | case '6': | ||
130 | + CHECK_LIMIT(IN6ADDRSZ); | ||
131 | sval = va_arg(ap, char *); | ||
132 | memcpy(p, sval, IN6ADDRSZ); | ||
133 | p += IN6ADDRSZ; | ||
134 | @@ -1100,36 +1117,47 @@ int add_resource_record(struct dns_heade | ||
135 | #endif | ||
136 | |||
137 | case '4': | ||
138 | + CHECK_LIMIT(INADDRSZ); | ||
139 | sval = va_arg(ap, char *); | ||
140 | memcpy(p, sval, INADDRSZ); | ||
141 | p += INADDRSZ; | ||
142 | break; | ||
143 | |||
144 | case 'b': | ||
145 | + CHECK_LIMIT(1); | ||
146 | usval = va_arg(ap, int); | ||
147 | *p++ = usval; | ||
148 | break; | ||
149 | |||
150 | case 's': | ||
151 | + CHECK_LIMIT(2); | ||
152 | usval = va_arg(ap, int); | ||
153 | PUTSHORT(usval, p); | ||
154 | break; | ||
155 | |||
156 | case 'l': | ||
157 | + CHECK_LIMIT(4); | ||
158 | lval = va_arg(ap, long); | ||
159 | PUTLONG(lval, p); | ||
160 | break; | ||
161 | |||
162 | case 'd': | ||
163 | - /* get domain-name answer arg and store it in RDATA field */ | ||
164 | - if (offset) | ||
165 | - *offset = p - (unsigned char *)header; | ||
166 | - p = do_rfc1035_name(p, va_arg(ap, char *)); | ||
167 | - *p++ = 0; | ||
168 | + /* get domain-name answer arg and store it in RDATA field */ | ||
169 | + if (offset) | ||
170 | + *offset = p - (unsigned char *)header; | ||
171 | + p = do_rfc1035_name(p, va_arg(ap, char *), limit); | ||
172 | + if (!p) | ||
173 | + { | ||
174 | + va_end(ap); | ||
175 | + goto truncated; | ||
176 | + } | ||
177 | + CHECK_LIMIT(1); | ||
178 | + *p++ = 0; | ||
179 | break; | ||
180 | |||
181 | case 't': | ||
182 | usval = va_arg(ap, int); | ||
183 | + CHECK_LIMIT(usval); | ||
184 | sval = va_arg(ap, char *); | ||
185 | if (usval != 0) | ||
186 | memcpy(p, sval, usval); | ||
187 | @@ -1141,20 +1169,24 @@ int add_resource_record(struct dns_heade | ||
188 | usval = sval ? strlen(sval) : 0; | ||
189 | if (usval > 255) | ||
190 | usval = 255; | ||
191 | + CHECK_LIMIT(usval + 1); | ||
192 | *p++ = (unsigned char)usval; | ||
193 | memcpy(p, sval, usval); | ||
194 | p += usval; | ||
195 | break; | ||
196 | } | ||
197 | |||
198 | +#undef CHECK_LIMIT | ||
199 | va_end(ap); /* clean up variable argument pointer */ | ||
200 | |||
201 | j = p - sav - 2; | ||
202 | - PUTSHORT(j, sav); /* Now, store real RDLength */ | ||
203 | + /* this has already been checked against limit before */ | ||
204 | + PUTSHORT(j, sav); /* Now, store real RDLength */ | ||
205 | |||
206 | /* check for overflow of buffer */ | ||
207 | if (limit && ((unsigned char *)limit - p) < 0) | ||
208 | { | ||
209 | +truncated: | ||
210 | if (truncp) | ||
211 | *truncp = 1; | ||
212 | return 0; | ||
213 | diff -Nurp a/src/rfc2131.c b/src/rfc2131.c | ||
214 | --- a/src/rfc2131.c 2016-05-18 16:51:54.000000000 +0200 | ||
215 | +++ b/src/rfc2131.c 2017-10-04 09:38:20.449498294 +0200 | ||
216 | @@ -2419,10 +2419,10 @@ static void do_options(struct dhcp_conte | ||
217 | |||
218 | if (fqdn_flags & 0x04) | ||
219 | { | ||
220 | - p = do_rfc1035_name(p, hostname); | ||
221 | + p = do_rfc1035_name(p, hostname, NULL); | ||
222 | if (domain) | ||
223 | { | ||
224 | - p = do_rfc1035_name(p, domain); | ||
225 | + p = do_rfc1035_name(p, domain, NULL); | ||
226 | *p++ = 0; | ||
227 | } | ||
228 | } | ||
229 | diff -Nurp a/src/rfc3315.c b/src/rfc3315.c | ||
230 | --- a/src/rfc3315.c 2016-05-18 16:51:54.000000000 +0200 | ||
231 | +++ b/src/rfc3315.c 2017-10-04 09:38:20.449498294 +0200 | ||
232 | @@ -1472,10 +1472,10 @@ static struct dhcp_netid *add_options(st | ||
233 | if ((p = expand(len + 2))) | ||
234 | { | ||
235 | *(p++) = state->fqdn_flags; | ||
236 | - p = do_rfc1035_name(p, state->hostname); | ||
237 | + p = do_rfc1035_name(p, state->hostname, NULL); | ||
238 | if (state->send_domain) | ||
239 | { | ||
240 | - p = do_rfc1035_name(p, state->send_domain); | ||
241 | + p = do_rfc1035_name(p, state->send_domain, NULL); | ||
242 | *p = 0; | ||
243 | } | ||
244 | } | ||
245 | diff -Nurp a/src/util.c b/src/util.c | ||
246 | --- a/src/util.c 2016-05-18 16:51:54.000000000 +0200 | ||
247 | +++ b/src/util.c 2017-10-04 09:38:20.453498124 +0200 | ||
248 | @@ -218,15 +218,20 @@ char *canonicalise(char *in, int *nomem) | ||
249 | return ret; | ||
250 | } | ||
251 | |||
252 | -unsigned char *do_rfc1035_name(unsigned char *p, char *sval) | ||
253 | +unsigned char *do_rfc1035_name(unsigned char *p, char *sval, char *limit) | ||
254 | { | ||
255 | int j; | ||
256 | |||
257 | while (sval && *sval) | ||
258 | { | ||
259 | + if (limit && p + 1 > (unsigned char*)limit) | ||
260 | + return p; | ||
261 | + | ||
262 | unsigned char *cp = p++; | ||
263 | for (j = 0; *sval && (*sval != '.'); sval++, j++) | ||
264 | { | ||
265 | + if (limit && p + 1 > (unsigned char*)limit) | ||
266 | + return p; | ||
267 | #ifdef HAVE_DNSSEC | ||
268 | if (option_bool(OPT_DNSSEC_VALID) && *sval == NAME_ESCAPE) | ||
269 | *p++ = (*(++sval))-1; | ||
diff --git a/recipes-networking/dnsmasq/dnsmasq/0002-CVE-2017-14491.patch b/recipes-networking/dnsmasq/dnsmasq/0002-CVE-2017-14491.patch deleted file mode 100644 index 6f27667..0000000 --- a/recipes-networking/dnsmasq/dnsmasq/0002-CVE-2017-14491.patch +++ /dev/null | |||
@@ -1,73 +0,0 @@ | |||
1 | From 62cb936cb7ad5f219715515ae7d32dd281a5aa1f Mon Sep 17 00:00:00 2001 | ||
2 | From: Simon Kelley <simon@thekelleys.org.uk> | ||
3 | Date: Tue, 26 Sep 2017 22:00:11 +0100 | ||
4 | Subject: [PATCH] Security fix, CVE-2017-14491, DNS heap buffer overflow. | ||
5 | |||
6 | Further fix to 0549c73b7ea6b22a3c49beb4d432f185a81efcbc | ||
7 | Handles case when RR name is not a pointer to the question, | ||
8 | only occurs for some auth-mode replies, therefore not | ||
9 | detected by fuzzing (?) | ||
10 | |||
11 | CVE: CVE-2017-14491 | ||
12 | Upstream-Status: Backport | ||
13 | |||
14 | Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com> | ||
15 | --- | ||
16 | src/rfc1035.c | 27 +++++++++++++++------------ | ||
17 | 1 file changed, 15 insertions(+), 12 deletions(-) | ||
18 | |||
19 | diff --git a/src/rfc1035.c b/src/rfc1035.c | ||
20 | index 27af023..56ab88b 100644 | ||
21 | --- a/src/rfc1035.c | ||
22 | +++ b/src/rfc1035.c | ||
23 | @@ -1086,32 +1086,35 @@ int add_resource_record(struct dns_header *header, char *limit, int *truncp, int | ||
24 | |||
25 | va_start(ap, format); /* make ap point to 1st unamed argument */ | ||
26 | |||
27 | - /* nameoffset (1 or 2) + type (2) + class (2) + ttl (4) + 0 (2) */ | ||
28 | - CHECK_LIMIT(12); | ||
29 | - | ||
30 | if (nameoffset > 0) | ||
31 | { | ||
32 | + CHECK_LIMIT(2); | ||
33 | PUTSHORT(nameoffset | 0xc000, p); | ||
34 | } | ||
35 | else | ||
36 | { | ||
37 | char *name = va_arg(ap, char *); | ||
38 | - if (name) | ||
39 | - p = do_rfc1035_name(p, name, limit); | ||
40 | - if (!p) | ||
41 | - { | ||
42 | - va_end(ap); | ||
43 | - goto truncated; | ||
44 | - } | ||
45 | - | ||
46 | + if (name && !(p = do_rfc1035_name(p, name, limit))) | ||
47 | + { | ||
48 | + va_end(ap); | ||
49 | + goto truncated; | ||
50 | + } | ||
51 | + | ||
52 | if (nameoffset < 0) | ||
53 | { | ||
54 | + CHECK_LIMIT(2); | ||
55 | PUTSHORT(-nameoffset | 0xc000, p); | ||
56 | } | ||
57 | else | ||
58 | - *p++ = 0; | ||
59 | + { | ||
60 | + CHECK_LIMIT(1); | ||
61 | + *p++ = 0; | ||
62 | + } | ||
63 | } | ||
64 | |||
65 | + /* type (2) + class (2) + ttl (4) + rdlen (2) */ | ||
66 | + CHECK_LIMIT(10); | ||
67 | + | ||
68 | PUTSHORT(type, p); | ||
69 | PUTSHORT(class, p); | ||
70 | PUTLONG(ttl, p); /* TTL */ | ||
71 | -- | ||
72 | 1.7.10.4 | ||
73 | |||
diff --git a/recipes-networking/dnsmasq/dnsmasq/CVE-2017-14492.patch b/recipes-networking/dnsmasq/dnsmasq/CVE-2017-14492.patch deleted file mode 100644 index 5b66944..0000000 --- a/recipes-networking/dnsmasq/dnsmasq/CVE-2017-14492.patch +++ /dev/null | |||
@@ -1,57 +0,0 @@ | |||
1 | From 24036ea507862c7b7898b68289c8130f85599c10 Mon Sep 17 00:00:00 2001 | ||
2 | From: Simon Kelley <simon@thekelleys.org.uk> | ||
3 | Date: Mon, 25 Sep 2017 18:47:15 +0100 | ||
4 | Subject: [PATCH] Security fix, CVE-2017-14492, DHCPv6 RA heap overflow. | ||
5 | |||
6 | Fix heap overflow in IPv6 router advertisement code. | ||
7 | This is a potentially serious security hole, as a | ||
8 | crafted RA request can overflow a buffer and crash or | ||
9 | control dnsmasq. Attacker must be on the local network. | ||
10 | |||
11 | CVE: CVE-2017-14492 | ||
12 | Upstream-Status: Backport | ||
13 | |||
14 | Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com> | ||
15 | --- | ||
16 | CHANGELOG | 10 +++++++++- | ||
17 | src/radv.c | 3 +++ | ||
18 | 2 files changed, 12 insertions(+), 1 deletion(-) | ||
19 | |||
20 | diff --git a/CHANGELOG b/CHANGELOG | ||
21 | index a7c2f35..df6c157 100644 | ||
22 | --- a/CHANGELOG | ||
23 | +++ b/CHANGELOG | ||
24 | @@ -35,7 +35,15 @@ version 2.78 | ||
25 | and Kevin Hamacher of the Google Security Team for | ||
26 | finding this. | ||
27 | |||
28 | - | ||
29 | + Fix heap overflow in IPv6 router advertisement code. | ||
30 | + This is a potentially serious security hole, as a | ||
31 | + crafted RA request can overflow a buffer and crash or | ||
32 | + control dnsmasq. Attacker must be on the local network. | ||
33 | + CVE-2017-14492 applies. | ||
34 | + Credit to Felix Wilhelm, Fermin J. Serna, Gabriel Campana | ||
35 | + and Kevin Hamacher of the Google Security Team for | ||
36 | + finding this. | ||
37 | + | ||
38 | |||
39 | version 2.77 | ||
40 | Generate an error when configured with a CNAME loop, | ||
41 | diff --git a/src/radv.c b/src/radv.c | ||
42 | index 1032189..9b7e52c 100644 | ||
43 | --- a/src/radv.c | ||
44 | +++ b/src/radv.c | ||
45 | @@ -198,6 +198,9 @@ void icmp6_packet(time_t now) | ||
46 | /* look for link-layer address option for logging */ | ||
47 | if (sz >= 16 && packet[8] == ICMP6_OPT_SOURCE_MAC && (packet[9] * 8) + 8 <= sz) | ||
48 | { | ||
49 | + if ((packet[9] * 8 - 2) * 3 - 1 >= MAXDNAME) { | ||
50 | + return; | ||
51 | + } | ||
52 | print_mac(daemon->namebuff, &packet[10], (packet[9] * 8) - 2); | ||
53 | mac = daemon->namebuff; | ||
54 | } | ||
55 | -- | ||
56 | 1.7.10.4 | ||
57 | |||
diff --git a/recipes-networking/dnsmasq/dnsmasq/CVE-2017-14493.patch b/recipes-networking/dnsmasq/dnsmasq/CVE-2017-14493.patch deleted file mode 100644 index fedb825..0000000 --- a/recipes-networking/dnsmasq/dnsmasq/CVE-2017-14493.patch +++ /dev/null | |||
@@ -1,55 +0,0 @@ | |||
1 | From 3d4ff1ba8419546490b464418223132529514033 Mon Sep 17 00:00:00 2001 | ||
2 | From: Simon Kelley <simon@thekelleys.org.uk> | ||
3 | Date: Mon, 25 Sep 2017 18:52:50 +0100 | ||
4 | Subject: [PATCH] Security fix, CVE-2017-14493, DHCPv6 - Stack buffer | ||
5 | overflow. | ||
6 | |||
7 | Fix stack overflow in DHCPv6 code. An attacker who can send | ||
8 | a DHCPv6 request to dnsmasq can overflow the stack frame and | ||
9 | crash or control dnsmasq. | ||
10 | |||
11 | CVE: CVE-2017-14493 | ||
12 | Upstream-Status: Backport | ||
13 | |||
14 | Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com> | ||
15 | --- | ||
16 | CHANGELOG | 8 ++++++++ | ||
17 | src/rfc3315.c | 3 +++ | ||
18 | 2 files changed, 11 insertions(+) | ||
19 | |||
20 | diff --git a/CHANGELOG b/CHANGELOG | ||
21 | index df6c157..c48378f 100644 | ||
22 | --- a/CHANGELOG | ||
23 | +++ b/CHANGELOG | ||
24 | @@ -43,6 +43,14 @@ version 2.78 | ||
25 | Credit to Felix Wilhelm, Fermin J. Serna, Gabriel Campana | ||
26 | and Kevin Hamacher of the Google Security Team for | ||
27 | finding this. | ||
28 | + | ||
29 | + Fix stack overflow in DHCPv6 code. An attacker who can send | ||
30 | + a DHCPv6 request to dnsmasq can overflow the stack frame and | ||
31 | + crash or control dnsmasq. | ||
32 | + CVE-2017-14493 applies. | ||
33 | + Credit to Felix Wilhelm, Fermin J. Serna, Gabriel Campana | ||
34 | + and Kevin Hamacher of the Google Security Team for | ||
35 | + finding this. | ||
36 | |||
37 | |||
38 | version 2.77 | ||
39 | diff --git a/src/rfc3315.c b/src/rfc3315.c | ||
40 | index 1687931..920907c 100644 | ||
41 | --- a/src/rfc3315.c | ||
42 | +++ b/src/rfc3315.c | ||
43 | @@ -206,6 +206,9 @@ static int dhcp6_maybe_relay(struct state *state, void *inbuff, size_t sz, | ||
44 | /* RFC-6939 */ | ||
45 | if ((opt = opt6_find(opts, end, OPTION6_CLIENT_MAC, 3))) | ||
46 | { | ||
47 | + if (opt6_len(opt) - 2 > DHCP_CHADDR_MAX) { | ||
48 | + return 0; | ||
49 | + } | ||
50 | state->mac_type = opt6_uint(opt, 0, 2); | ||
51 | state->mac_len = opt6_len(opt) - 2; | ||
52 | memcpy(&state->mac[0], opt6_ptr(opt, 2), state->mac_len); | ||
53 | -- | ||
54 | 1.7.10.4 | ||
55 | |||
diff --git a/recipes-networking/dnsmasq/dnsmasq/CVE-2017-14494.patch b/recipes-networking/dnsmasq/dnsmasq/CVE-2017-14494.patch deleted file mode 100644 index d32f713..0000000 --- a/recipes-networking/dnsmasq/dnsmasq/CVE-2017-14494.patch +++ /dev/null | |||
@@ -1,55 +0,0 @@ | |||
1 | From 33e3f1029c9ec6c63e430ff51063a6301d4b2262 Mon Sep 17 00:00:00 2001 | ||
2 | From: Simon Kelley <simon@thekelleys.org.uk> | ||
3 | Date: Mon, 25 Sep 2017 20:05:11 +0100 | ||
4 | Subject: [PATCH] Security fix, CVE-2017-14494, Infoleak handling DHCPv6 | ||
5 | forwarded requests. | ||
6 | |||
7 | Fix information leak in DHCPv6. A crafted DHCPv6 packet can | ||
8 | cause dnsmasq to forward memory from outside the packet | ||
9 | buffer to a DHCPv6 server when acting as a relay. | ||
10 | |||
11 | CVE: CVE-2017-14494 | ||
12 | Upstream-Status: Backport | ||
13 | |||
14 | Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com> | ||
15 | --- | ||
16 | CHANGELOG | 8 ++++++++ | ||
17 | src/rfc3315.c | 3 +++ | ||
18 | 2 files changed, 11 insertions(+) | ||
19 | |||
20 | diff --git a/CHANGELOG b/CHANGELOG | ||
21 | index c48378f..d1cc074 100644 | ||
22 | --- a/CHANGELOG | ||
23 | +++ b/CHANGELOG | ||
24 | @@ -51,6 +51,14 @@ version 2.78 | ||
25 | Credit to Felix Wilhelm, Fermin J. Serna, Gabriel Campana | ||
26 | and Kevin Hamacher of the Google Security Team for | ||
27 | finding this. | ||
28 | + | ||
29 | + Fix information leak in DHCPv6. A crafted DHCPv6 packet can | ||
30 | + cause dnsmasq to forward memory from outside the packet | ||
31 | + buffer to a DHCPv6 server when acting as a relay. | ||
32 | + CVE-2017-14494 applies. | ||
33 | + Credit to Felix Wilhelm, Fermin J. Serna, Gabriel Campana | ||
34 | + and Kevin Hamacher of the Google Security Team for | ||
35 | + finding this. | ||
36 | |||
37 | |||
38 | version 2.77 | ||
39 | diff --git a/src/rfc3315.c b/src/rfc3315.c | ||
40 | index 920907c..4ca43e0 100644 | ||
41 | --- a/src/rfc3315.c | ||
42 | +++ b/src/rfc3315.c | ||
43 | @@ -216,6 +216,9 @@ static int dhcp6_maybe_relay(struct state *state, void *inbuff, size_t sz, | ||
44 | |||
45 | for (opt = opts; opt; opt = opt6_next(opt, end)) | ||
46 | { | ||
47 | + if (opt6_ptr(opt, 0) + opt6_len(opt) >= end) { | ||
48 | + return 0; | ||
49 | + } | ||
50 | int o = new_opt6(opt6_type(opt)); | ||
51 | if (opt6_type(opt) == OPTION6_RELAY_MSG) | ||
52 | { | ||
53 | -- | ||
54 | 1.7.10.4 | ||
55 | |||
diff --git a/recipes-networking/dnsmasq/dnsmasq/CVE-2017-14495.patch b/recipes-networking/dnsmasq/dnsmasq/CVE-2017-14495.patch deleted file mode 100644 index ba176a8..0000000 --- a/recipes-networking/dnsmasq/dnsmasq/CVE-2017-14495.patch +++ /dev/null | |||
@@ -1,69 +0,0 @@ | |||
1 | From 51eadb692a5123b9838e5a68ecace3ac579a3a45 Mon Sep 17 00:00:00 2001 | ||
2 | From: Simon Kelley <simon@thekelleys.org.uk> | ||
3 | Date: Mon, 25 Sep 2017 20:16:50 +0100 | ||
4 | Subject: [PATCH] Security fix, CVE-2017-14495, OOM in DNS response creation. | ||
5 | |||
6 | Fix out-of-memory Dos vulnerability. An attacker which can | ||
7 | send malicious DNS queries to dnsmasq can trigger memory | ||
8 | allocations in the add_pseudoheader function | ||
9 | The allocated memory is never freed which leads to a DoS | ||
10 | through memory exhaustion. dnsmasq is vulnerable only | ||
11 | if one of the following option is specified: | ||
12 | --add-mac, --add-cpe-id or --add-subnet. | ||
13 | |||
14 | CVE: CVE-2017-14495 | ||
15 | Upstream-Status: Backport | ||
16 | |||
17 | Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com> | ||
18 | --- | ||
19 | CHANGELOG | 12 ++++++++++++ | ||
20 | src/edns0.c | 8 +++++++- | ||
21 | 2 files changed, 19 insertions(+), 1 deletion(-) | ||
22 | |||
23 | diff --git a/CHANGELOG b/CHANGELOG | ||
24 | index 8fe00ed..9523329 100644 | ||
25 | --- a/CHANGELOG | ||
26 | +++ b/CHANGELOG | ||
27 | @@ -70,6 +70,18 @@ version 2.78 | ||
28 | Credit to Felix Wilhelm, Fermin J. Serna, Gabriel Campana | ||
29 | and Kevin Hamacher of the Google Security Team for | ||
30 | finding this. | ||
31 | + | ||
32 | + Fix out-of-memory Dos vulnerability. An attacker which can | ||
33 | + send malicious DNS queries to dnsmasq can trigger memory | ||
34 | + allocations in the add_pseudoheader function | ||
35 | + The allocated memory is never freed which leads to a DoS | ||
36 | + through memory exhaustion. dnsmasq is vulnerable only | ||
37 | + if one of the following option is specified: | ||
38 | + --add-mac, --add-cpe-id or --add-subnet. | ||
39 | + CVE-2017-14495 applies. | ||
40 | + Credit to Felix Wilhelm, Fermin J. Serna, Gabriel Campana | ||
41 | + and Kevin Hamacher of the Google Security Team for | ||
42 | + finding this. | ||
43 | |||
44 | |||
45 | version 2.77 | ||
46 | diff --git a/src/edns0.c b/src/edns0.c | ||
47 | index 95b74ee..89b2692 100644 | ||
48 | --- a/src/edns0.c | ||
49 | +++ b/src/edns0.c | ||
50 | @@ -192,9 +192,15 @@ size_t add_pseudoheader(struct dns_header *header, size_t plen, unsigned char *l | ||
51 | !(p = skip_section(p, | ||
52 | ntohs(header->ancount) + ntohs(header->nscount) + ntohs(header->arcount), | ||
53 | header, plen))) | ||
54 | + { | ||
55 | + free(buff); | ||
56 | return plen; | ||
57 | + } | ||
58 | if (p + 11 > limit) | ||
59 | - return plen; /* Too big */ | ||
60 | + { | ||
61 | + free(buff); | ||
62 | + return plen; /* Too big */ | ||
63 | + } | ||
64 | *p++ = 0; /* empty name */ | ||
65 | PUTSHORT(T_OPT, p); | ||
66 | PUTSHORT(udp_sz, p); /* max packet length, 512 if not given in EDNS0 header */ | ||
67 | -- | ||
68 | 1.7.10.4 | ||
69 | |||
diff --git a/recipes-networking/dnsmasq/dnsmasq/CVE-2017-14496.patch b/recipes-networking/dnsmasq/dnsmasq/CVE-2017-14496.patch deleted file mode 100644 index 333a890..0000000 --- a/recipes-networking/dnsmasq/dnsmasq/CVE-2017-14496.patch +++ /dev/null | |||
@@ -1,94 +0,0 @@ | |||
1 | From 897c113fda0886a28a986cc6ba17bb93bd6cb1c7 Mon Sep 17 00:00:00 2001 | ||
2 | From: Simon Kelley <simon@thekelleys.org.uk> | ||
3 | Date: Mon, 25 Sep 2017 20:11:58 +0100 | ||
4 | Subject: [PATCH] Security fix, CVE-2017-14496, Integer underflow in DNS | ||
5 | response creation. | ||
6 | |||
7 | Fix DoS in DNS. Invalid boundary checks in the | ||
8 | add_pseudoheader function allows a memcpy call with negative | ||
9 | size An attacker which can send malicious DNS queries | ||
10 | to dnsmasq can trigger a DoS remotely. | ||
11 | dnsmasq is vulnerable only if one of the following option is | ||
12 | specified: --add-mac, --add-cpe-id or --add-subnet. | ||
13 | |||
14 | CVE: CVE-2017-14496 | ||
15 | Upstream-Status: Backport | ||
16 | |||
17 | Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com> | ||
18 | --- | ||
19 | CHANGELOG | 11 +++++++++++ | ||
20 | src/edns0.c | 13 ++++++++++++- | ||
21 | 2 files changed, 23 insertions(+), 1 deletion(-) | ||
22 | |||
23 | diff --git a/CHANGELOG b/CHANGELOG | ||
24 | index d1cc074..8fe00ed 100644 | ||
25 | --- a/CHANGELOG | ||
26 | +++ b/CHANGELOG | ||
27 | @@ -60,6 +60,17 @@ version 2.78 | ||
28 | and Kevin Hamacher of the Google Security Team for | ||
29 | finding this. | ||
30 | |||
31 | + Fix DoS in DNS. Invalid boundary checks in the | ||
32 | + add_pseudoheader function allows a memcpy call with negative | ||
33 | + size An attacker which can send malicious DNS queries | ||
34 | + to dnsmasq can trigger a DoS remotely. | ||
35 | + dnsmasq is vulnerable only if one of the following option is | ||
36 | + specified: --add-mac, --add-cpe-id or --add-subnet. | ||
37 | + CVE-2017-14496 applies. | ||
38 | + Credit to Felix Wilhelm, Fermin J. Serna, Gabriel Campana | ||
39 | + and Kevin Hamacher of the Google Security Team for | ||
40 | + finding this. | ||
41 | + | ||
42 | |||
43 | version 2.77 | ||
44 | Generate an error when configured with a CNAME loop, | ||
45 | diff --git a/src/edns0.c b/src/edns0.c | ||
46 | index f5b798c..95b74ee 100644 | ||
47 | --- a/src/edns0.c | ||
48 | +++ b/src/edns0.c | ||
49 | @@ -144,7 +144,7 @@ size_t add_pseudoheader(struct dns_header *header, size_t plen, unsigned char *l | ||
50 | GETSHORT(len, p); | ||
51 | |||
52 | /* malformed option, delete the whole OPT RR and start again. */ | ||
53 | - if (i + len > rdlen) | ||
54 | + if (i + 4 + len > rdlen) | ||
55 | { | ||
56 | rdlen = 0; | ||
57 | is_last = 0; | ||
58 | @@ -193,6 +193,8 @@ size_t add_pseudoheader(struct dns_header *header, size_t plen, unsigned char *l | ||
59 | ntohs(header->ancount) + ntohs(header->nscount) + ntohs(header->arcount), | ||
60 | header, plen))) | ||
61 | return plen; | ||
62 | + if (p + 11 > limit) | ||
63 | + return plen; /* Too big */ | ||
64 | *p++ = 0; /* empty name */ | ||
65 | PUTSHORT(T_OPT, p); | ||
66 | PUTSHORT(udp_sz, p); /* max packet length, 512 if not given in EDNS0 header */ | ||
67 | @@ -204,6 +206,11 @@ size_t add_pseudoheader(struct dns_header *header, size_t plen, unsigned char *l | ||
68 | /* Copy back any options */ | ||
69 | if (buff) | ||
70 | { | ||
71 | + if (p + rdlen > limit) | ||
72 | + { | ||
73 | + free(buff); | ||
74 | + return plen; /* Too big */ | ||
75 | + } | ||
76 | memcpy(p, buff, rdlen); | ||
77 | free(buff); | ||
78 | p += rdlen; | ||
79 | @@ -220,8 +227,12 @@ size_t add_pseudoheader(struct dns_header *header, size_t plen, unsigned char *l | ||
80 | /* Add new option */ | ||
81 | if (optno != 0 && replace != 2) | ||
82 | { | ||
83 | + if (p + 4 > limit) | ||
84 | + return plen; /* Too big */ | ||
85 | PUTSHORT(optno, p); | ||
86 | PUTSHORT(optlen, p); | ||
87 | + if (p + optlen > limit) | ||
88 | + return plen; /* Too big */ | ||
89 | memcpy(p, opt, optlen); | ||
90 | p += optlen; | ||
91 | PUTSHORT(p - datap, lenp); | ||
92 | -- | ||
93 | 1.7.10.4 | ||
94 | |||