From 91b02ae7ac707984cd5182bb39c2fe8086a1696f Mon Sep 17 00:00:00 2001
From: Sona Sarmadi <sona.sarmadi@enea.com>
Date: Wed, 4 Oct 2017 12:34:28 +0200
Subject: dnsmasq: CVE-2017-14494

Can help bypass ASLR.

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=2017-14494
https://security.googleblog.com/2017/10/behind-masq-yet-more-dns-and-dhcp.html

Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
Signed-off-by: Adrian Dudau <adrian.dudau@enea.com>
---
 .../dnsmasq/dnsmasq/CVE-2017-14494.patch           | 55 ++++++++++++++++++++++
 recipes-networking/dnsmasq/dnsmasq_%.bbappend      |  1 +
 2 files changed, 56 insertions(+)
 create mode 100644 recipes-networking/dnsmasq/dnsmasq/CVE-2017-14494.patch

diff --git a/recipes-networking/dnsmasq/dnsmasq/CVE-2017-14494.patch b/recipes-networking/dnsmasq/dnsmasq/CVE-2017-14494.patch
new file mode 100644
index 0000000..d32f713
--- /dev/null
+++ b/recipes-networking/dnsmasq/dnsmasq/CVE-2017-14494.patch
@@ -0,0 +1,55 @@
+From 33e3f1029c9ec6c63e430ff51063a6301d4b2262 Mon Sep 17 00:00:00 2001
+From: Simon Kelley <simon@thekelleys.org.uk>
+Date: Mon, 25 Sep 2017 20:05:11 +0100
+Subject: [PATCH] Security fix, CVE-2017-14494, Infoleak handling DHCPv6
+ forwarded requests.
+
+Fix information leak in DHCPv6. A crafted DHCPv6 packet can
+cause dnsmasq to forward memory from outside the packet
+buffer to a DHCPv6 server when acting as a relay.
+
+CVE: CVE-2017-14494
+Upstream-Status: Backport
+
+Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
+---
+ CHANGELOG     |    8 ++++++++
+ src/rfc3315.c |    3 +++
+ 2 files changed, 11 insertions(+)
+
+diff --git a/CHANGELOG b/CHANGELOG
+index c48378f..d1cc074 100644
+--- a/CHANGELOG
++++ b/CHANGELOG
+@@ -51,6 +51,14 @@ version 2.78
+ 	Credit to Felix Wilhelm, Fermin J. Serna, Gabriel Campana
+ 	and Kevin Hamacher of the Google Security Team for
+ 	finding this.
++
++	Fix information leak in DHCPv6. A crafted DHCPv6 packet can
++	cause dnsmasq to forward memory from outside the packet
++	buffer to a DHCPv6 server when acting as a relay.
++	CVE-2017-14494 applies.
++	Credit to Felix Wilhelm, Fermin J. Serna, Gabriel Campana
++	and Kevin Hamacher of the Google Security Team for
++	finding this.
+ 	
+ 	
+ version 2.77
+diff --git a/src/rfc3315.c b/src/rfc3315.c
+index 920907c..4ca43e0 100644
+--- a/src/rfc3315.c
++++ b/src/rfc3315.c
+@@ -216,6 +216,9 @@ static int dhcp6_maybe_relay(struct state *state, void *inbuff, size_t sz,
+   
+   for (opt = opts; opt; opt = opt6_next(opt, end))
+     {
++      if (opt6_ptr(opt, 0) + opt6_len(opt) >= end) {
++        return 0;
++      }
+       int o = new_opt6(opt6_type(opt));
+       if (opt6_type(opt) == OPTION6_RELAY_MSG)
+ 	{
+-- 
+1.7.10.4
+
diff --git a/recipes-networking/dnsmasq/dnsmasq_%.bbappend b/recipes-networking/dnsmasq/dnsmasq_%.bbappend
index 7db502a..c0c4633 100644
--- a/recipes-networking/dnsmasq/dnsmasq_%.bbappend
+++ b/recipes-networking/dnsmasq/dnsmasq_%.bbappend
@@ -5,4 +5,5 @@ SRC_URI += "file://0001-CVE-2017-14491.patch \
     file://0002-CVE-2017-14491.patch \
     file://CVE-2017-14492.patch \
     file://CVE-2017-14493.patch \
+    file://CVE-2017-14494.patch \
 "
-- 
cgit v1.2.3-54-g00ecf