1 files changed, 0 insertions, 73 deletions
diff --git a/recipes-networking/dnsmasq/dnsmasq/0002-CVE-2017-14491.patch b/recipes-networking/dnsmasq/dnsmasq/0002-CVE-2017-14491.patch
deleted file mode 100644
index 6f27667..0000000
--- a/recipes-networking/dnsmasq/dnsmasq/0002-CVE-2017-14491.patch
+++ /dev/null
@@ -1,73 +0,0 @@
-From 62cb936cb7ad5f219715515ae7d32dd281a5aa1f Mon Sep 17 00:00:00 2001
-From: Simon Kelley <simon@thekelleys.org.uk>
-Date: Tue, 26 Sep 2017 22:00:11 +0100
-Subject: [PATCH] Security fix, CVE-2017-14491, DNS heap buffer overflow.
-Further fix to 0549c73b7ea6b22a3c49beb4d432f185a81efcbc
-Handles case when RR name is not a pointer to the question,
-only occurs for some auth-mode replies, therefore not
-detected by fuzzing (?)
-CVE: CVE-2017-14491
-Upstream-Status: Backport 
-Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
---
- src/rfc1035.c |   27 +++++++++++++++------------
- 1 file changed, 15 insertions(+), 12 deletions(-)
-diff --git a/src/rfc1035.c b/src/rfc1035.c
-index 27af023..56ab88b 100644
--- a/src/rfc1035.c
-+++ b/src/rfc1035.c
-@@ -1086,32 +1086,35 @@ int add_resource_record(struct dns_header *header, char *limit, int *truncp, int
- 
-   va_start(ap, format);   /* make ap point to 1st unamed argument */
- 
-  /* nameoffset (1 or 2) + type (2) + class (2) + ttl (4) + 0 (2) */
-  CHECK_LIMIT(12);
-
-   if (nameoffset > 0)
-     {
-+      CHECK_LIMIT(2);
-       PUTSHORT(nameoffset | 0xc000, p);
-     }
-   else
-     {
-       char *name = va_arg(ap, char *);
-      if (name)
-       p = do_rfc1035_name(p, name, limit);
-        if (!p)
-          {
-            va_end(ap);
-            goto truncated;
-          }
-
-+      if (name && !(p = do_rfc1035_name(p, name, limit)))
-+       {
-+         va_end(ap);
-+         goto truncated;
-+       }
-+      
-       if (nameoffset < 0)
-        {
-+         CHECK_LIMIT(2);
-          PUTSHORT(-nameoffset | 0xc000, p);
-        }
-       else
-       *p++ = 0;
-+       {
-+         CHECK_LIMIT(1);
-+         *p++ = 0;
-+       }
-     }
- 
-+  /* type (2) + class (2) + ttl (4) + rdlen (2) */
-+  CHECK_LIMIT(10);
-+  
-   PUTSHORT(type, p);
-   PUTSHORT(class, p);
-   PUTLONG(ttl, p);      /* TTL */
-- 
-1.7.10.4

diff --git a/recipes-networking/dnsmasq/dnsmasq/0002-CVE-2017-14491.patch b/recipes-networking/dnsmasq/dnsmasq/0002-CVE-2017-14491.patch deleted file mode 100644 index 6f27667..0000000 --- a/recipes-networking/dnsmasq/dnsmasq/0002-CVE-2017-14491.patch +++ /dev/null
@@ -1,73 +0,0 @@
1	From 62cb936cb7ad5f219715515ae7d32dd281a5aa1f Mon Sep 17 00:00:00 2001
2	From: Simon Kelley <simon@thekelleys.org.uk>
3	Date: Tue, 26 Sep 2017 22:00:11 +0100
4	Subject: [PATCH] Security fix, CVE-2017-14491, DNS heap buffer overflow.
5
6	Further fix to 0549c73b7ea6b22a3c49beb4d432f185a81efcbc
7	Handles case when RR name is not a pointer to the question,
8	only occurs for some auth-mode replies, therefore not
9	detected by fuzzing (?)
10
11	CVE: CVE-2017-14491
12	Upstream-Status: Backport
13
14	Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
15	---
16	src/rfc1035.c \| 27 +++++++++++++++------------
17	1 file changed, 15 insertions(+), 12 deletions(-)
18
19	diff --git a/src/rfc1035.c b/src/rfc1035.c
20	index 27af023..56ab88b 100644
21	--- a/src/rfc1035.c
22	+++ b/src/rfc1035.c
23	@@ -1086,32 +1086,35 @@ int add_resource_record(struct dns_header header, char limit, int *truncp, int
24
25	va_start(ap, format); /* make ap point to 1st unamed argument */
26
27	- /* nameoffset (1 or 2) + type (2) + class (2) + ttl (4) + 0 (2) */
28	- CHECK_LIMIT(12);
29	-
30	if (nameoffset > 0)
31	{
32	+ CHECK_LIMIT(2);
33	PUTSHORT(nameoffset \| 0xc000, p);
34	}
35	else
36	{
37	char name = va_arg(ap, char );
38	- if (name)
39	- p = do_rfc1035_name(p, name, limit);
40	- if (!p)
41	- {
42	- va_end(ap);
43	- goto truncated;
44	- }
45	-
46	+ if (name && !(p = do_rfc1035_name(p, name, limit)))
47	+ {
48	+ va_end(ap);
49	+ goto truncated;
50	+ }
51	+
52	if (nameoffset < 0)
53	{
54	+ CHECK_LIMIT(2);
55	PUTSHORT(-nameoffset \| 0xc000, p);
56	}
57	else
58	- *p++ = 0;
59	+ {
60	+ CHECK_LIMIT(1);
61	+ *p++ = 0;
62	+ }
63	}
64
65	+ /* type (2) + class (2) + ttl (4) + rdlen (2) */
66	+ CHECK_LIMIT(10);
67	+
68	PUTSHORT(type, p);
69	PUTSHORT(class, p);
70	PUTLONG(ttl, p); /* TTL */
71	--
72	1.7.10.4
73