diff options
-rw-r--r-- | recipes-networking/dnsmasq/dnsmasq/CVE-2017-14493.patch | 55 | ||||
-rw-r--r-- | recipes-networking/dnsmasq/dnsmasq_%.bbappend | 1 |
2 files changed, 56 insertions, 0 deletions
diff --git a/recipes-networking/dnsmasq/dnsmasq/CVE-2017-14493.patch b/recipes-networking/dnsmasq/dnsmasq/CVE-2017-14493.patch new file mode 100644 index 0000000..fedb825 --- /dev/null +++ b/recipes-networking/dnsmasq/dnsmasq/CVE-2017-14493.patch | |||
@@ -0,0 +1,55 @@ | |||
1 | From 3d4ff1ba8419546490b464418223132529514033 Mon Sep 17 00:00:00 2001 | ||
2 | From: Simon Kelley <simon@thekelleys.org.uk> | ||
3 | Date: Mon, 25 Sep 2017 18:52:50 +0100 | ||
4 | Subject: [PATCH] Security fix, CVE-2017-14493, DHCPv6 - Stack buffer | ||
5 | overflow. | ||
6 | |||
7 | Fix stack overflow in DHCPv6 code. An attacker who can send | ||
8 | a DHCPv6 request to dnsmasq can overflow the stack frame and | ||
9 | crash or control dnsmasq. | ||
10 | |||
11 | CVE: CVE-2017-14493 | ||
12 | Upstream-Status: Backport | ||
13 | |||
14 | Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com> | ||
15 | --- | ||
16 | CHANGELOG | 8 ++++++++ | ||
17 | src/rfc3315.c | 3 +++ | ||
18 | 2 files changed, 11 insertions(+) | ||
19 | |||
20 | diff --git a/CHANGELOG b/CHANGELOG | ||
21 | index df6c157..c48378f 100644 | ||
22 | --- a/CHANGELOG | ||
23 | +++ b/CHANGELOG | ||
24 | @@ -43,6 +43,14 @@ version 2.78 | ||
25 | Credit to Felix Wilhelm, Fermin J. Serna, Gabriel Campana | ||
26 | and Kevin Hamacher of the Google Security Team for | ||
27 | finding this. | ||
28 | + | ||
29 | + Fix stack overflow in DHCPv6 code. An attacker who can send | ||
30 | + a DHCPv6 request to dnsmasq can overflow the stack frame and | ||
31 | + crash or control dnsmasq. | ||
32 | + CVE-2017-14493 applies. | ||
33 | + Credit to Felix Wilhelm, Fermin J. Serna, Gabriel Campana | ||
34 | + and Kevin Hamacher of the Google Security Team for | ||
35 | + finding this. | ||
36 | |||
37 | |||
38 | version 2.77 | ||
39 | diff --git a/src/rfc3315.c b/src/rfc3315.c | ||
40 | index 1687931..920907c 100644 | ||
41 | --- a/src/rfc3315.c | ||
42 | +++ b/src/rfc3315.c | ||
43 | @@ -206,6 +206,9 @@ static int dhcp6_maybe_relay(struct state *state, void *inbuff, size_t sz, | ||
44 | /* RFC-6939 */ | ||
45 | if ((opt = opt6_find(opts, end, OPTION6_CLIENT_MAC, 3))) | ||
46 | { | ||
47 | + if (opt6_len(opt) - 2 > DHCP_CHADDR_MAX) { | ||
48 | + return 0; | ||
49 | + } | ||
50 | state->mac_type = opt6_uint(opt, 0, 2); | ||
51 | state->mac_len = opt6_len(opt) - 2; | ||
52 | memcpy(&state->mac[0], opt6_ptr(opt, 2), state->mac_len); | ||
53 | -- | ||
54 | 1.7.10.4 | ||
55 | |||
diff --git a/recipes-networking/dnsmasq/dnsmasq_%.bbappend b/recipes-networking/dnsmasq/dnsmasq_%.bbappend index 1fc8819..7db502a 100644 --- a/recipes-networking/dnsmasq/dnsmasq_%.bbappend +++ b/recipes-networking/dnsmasq/dnsmasq_%.bbappend | |||
@@ -4,4 +4,5 @@ FILESEXTRAPATHS_prepend := "${THISDIR}/${PN}:" | |||
4 | SRC_URI += "file://0001-CVE-2017-14491.patch \ | 4 | SRC_URI += "file://0001-CVE-2017-14491.patch \ |
5 | file://0002-CVE-2017-14491.patch \ | 5 | file://0002-CVE-2017-14491.patch \ |
6 | file://CVE-2017-14492.patch \ | 6 | file://CVE-2017-14492.patch \ |
7 | file://CVE-2017-14493.patch \ | ||
7 | " | 8 | " |