dnsmasq: backport CVE fixes from dnsmasq 2.78morty-next morty

CVE-2017-1449{1-6} Signed-off-by: Zhang Xiao <xiao.zhang@windriver.com> Signed-off-by: Joe Slater <joe.slater@windriver.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
author: Zhang Xiao <xiao.zhang@windriver.com> 2018-05-04 15:04:33 -0700
committer: Armin Kuster <akuster808@gmail.com> 2018-05-28 19:08:25 -0700
commit: 997caf9146cd3797cd054e2adebd1fbb4df91911 (patch)
tree: 5d5988e851ef380998840df86af7a5b799107bc9
parent: 2628a2ccacc3bb0256df97ef4b0245f685485c78 (diff)
download: meta-openembedded-morty-next.tar.gz
8 files changed, 582 insertions, 0 deletions
diff --git a/meta-networking/recipes-support/dnsmasq/dnsmasq/dnsmasq-CVE-2017-14491-02.patch b/meta-networking/recipes-support/dnsmasq/dnsmasq/dnsmasq-CVE-2017-14491-02.patch
new file mode 100644
index 000000000..3e73feb68
--- /dev/null
+++ b/meta-networking/recipes-support/dnsmasq/dnsmasq/dnsmasq-CVE-2017-14491-02.patch
@@ -0,0 +1,75 @@
+From e441ac5247cf8252ac8db08d53862af4065d9586 Mon Sep 17 00:00:00 2001
+From: Simon Kelley <simon@thekelleys.org.uk>
+Date: Tue, 26 Sep 2017 22:00:11 +0100
+Subject: [PATCH 7/7] Security fix, CVE-2017-14491, DNS heap buffer overflow.
+commit 62cb936cb7ad5f219715515ae7d32dd281a5aa1f upstream
+git://thekelleys.org.uk/dnsmasq
+Further fix to 0549c73b7ea6b22a3c49beb4d432f185a81efcbc
+Handles case when RR name is not a pointer to the question,
+only occurs for some auth-mode replies, therefore not
+detected by fuzzing (?)
+Upstream-Status: Backport
+Signed-off-by: Zhang Xiao <xiao.zhang@windriver.com>
+---
+ src/rfc1035.c | 27 +++++++++++++++------------
+ 1 file changed, 15 insertions(+), 12 deletions(-)
+diff --git a/src/rfc1035.c b/src/rfc1035.c
+index 78410d6..e5628ba 100644
+--- a/src/rfc1035.c
+++ b/src/rfc1035.c
+@@ -1071,32 +1071,35 @@ int add_resource_record(struct dns_header *header, char *limit, int *truncp, int
+ 
+   va_start(ap, format);   /* make ap point to 1st unamed argument */
+ 
+-  /* nameoffset (1 or 2) + type (2) + class (2) + ttl (4) + 0 (2) */
+-  CHECK_LIMIT(12);
+-
+   if (nameoffset > 0)
+     {
+      CHECK_LIMIT(2);
+       PUTSHORT(nameoffset | 0xc000, p);
+     }
+   else
+     {
+       char *name = va_arg(ap, char *);
+-      if (name)
+-       p = do_rfc1035_name(p, name, limit);
+-        if (!p)
+-          {
+-            va_end(ap);
+-            goto truncated;
+-          }
+-
+      if (name && !(p = do_rfc1035_name(p, name, limit)))
+       {
+         va_end(ap);
+         goto truncated;
+       }
+      
+       if (nameoffset < 0)
+        {
+         CHECK_LIMIT(2);
+          PUTSHORT(-nameoffset | 0xc000, p);
+        }
+       else
+-       *p++ = 0;
+       {
+         CHECK_LIMIT(1);
+         *p++ = 0;
+       }
+     }
+ 
+  /* type (2) + class (2) + ttl (4) + rdlen (2) */
+  CHECK_LIMIT(10);
+  
+   PUTSHORT(type, p);
+   PUTSHORT(class, p);
+   PUTLONG(ttl, p);      /* TTL */
+-- 
+2.11.0
diff --git a/meta-networking/recipes-support/dnsmasq/dnsmasq/dnsmasq-CVE-2017-14491.patch b/meta-networking/recipes-support/dnsmasq/dnsmasq/dnsmasq-CVE-2017-14491.patch
new file mode 100644
index 000000000..05986788d
--- /dev/null
+++ b/meta-networking/recipes-support/dnsmasq/dnsmasq/dnsmasq-CVE-2017-14491.patch
@@ -0,0 +1,268 @@
+From 8644f7c99c5e2fde6b6872a4ab820d3520f44e24 Mon Sep 17 00:00:00 2001
+From: Simon Kelley <simon@thekelleys.org.uk>
+Date: Mon, 25 Sep 2017 18:17:11 +0100
+Subject: [PATCH 1/7] Security fix, CVE-2017-14491 DNS heap buffer overflow.
+commit 0549c73b7ea6b22a3c49beb4d432f185a81efcbc upstream
+git://thekelleys.org.uk/dnsmasq
+Fix heap overflow in DNS code. This is a potentially serious
+security hole. It allows an attacker who can make DNS
+requests to dnsmasq, and who controls the contents of
+a domain, which is thereby queried, to overflow
+(by 2 bytes) a heap buffer and either crash, or
+even take control of, dnsmasq.
+Upstream-Status: Backport
+Signed-off-by: Zhang Xiao <xiao.zhang@windriver.com>
+---
+ src/dnsmasq.h |  2 +-
+ src/dnssec.c  |  2 +-
+ src/option.c  |  2 +-
+ src/rfc1035.c | 50 +++++++++++++++++++++++++++++++++++++++++---------
+ src/rfc2131.c |  4 ++--
+ src/rfc3315.c |  4 ++--
+ src/util.c    |  7 ++++++-
+ 7 files changed, 54 insertions(+), 17 deletions(-)
+diff --git a/src/dnsmasq.h b/src/dnsmasq.h
+index 1896a64..ed5da36 100644
+--- a/src/dnsmasq.h
+++ b/src/dnsmasq.h
+@@ -1161,7 +1161,7 @@ u32 rand32(void);
+ u64 rand64(void);
+ int legal_hostname(char *c);
+ char *canonicalise(char *s, int *nomem);
+-unsigned char *do_rfc1035_name(unsigned char *p, char *sval);
+unsigned char *do_rfc1035_name(unsigned char *p, char *sval, char *limit);
+ void *safe_malloc(size_t size);
+ void safe_pipe(int *fd, int read_noblock);
+ void *whine_malloc(size_t size);
+diff --git a/src/dnssec.c b/src/dnssec.c
+index 3c77c7d..f45c804 100644
+--- a/src/dnssec.c
+++ b/src/dnssec.c
+@@ -2227,7 +2227,7 @@ size_t dnssec_generate_query(struct dns_header *header, unsigned char *end, char
+ 
+   p = (unsigned char *)(header+1);
+        
+-  p = do_rfc1035_name(p, name);
+  p = do_rfc1035_name(p, name, NULL);
+   *p++ = 0;
+   PUTSHORT(type, p);
+   PUTSHORT(class, p);
+diff --git a/src/option.c b/src/option.c
+index d8c57d6..0e1c326 100644
+--- a/src/option.c
+++ b/src/option.c
+@@ -1378,7 +1378,7 @@ static int parse_dhcp_opt(char *errstr, char *arg, int flags)
+                    }
+                  
+                  p = newp;
+-                 end = do_rfc1035_name(p + len, dom);
+                 end = do_rfc1035_name(p + len, dom, NULL);
+                  *end++ = 0;
+                  len = end - p;
+                  free(dom);
+diff --git a/src/rfc1035.c b/src/rfc1035.c
+index 24d08c1..78410d6 100644
+--- a/src/rfc1035.c
+++ b/src/rfc1035.c
+@@ -1049,6 +1049,7 @@ int check_for_ignored_address(struct dns_header *header, size_t qlen, struct bog
+   return 0;
+ }
+ 
+
+ int add_resource_record(struct dns_header *header, char *limit, int *truncp, int nameoffset, unsigned char **pp, 
+                        unsigned long ttl, int *offset, unsigned short type, unsigned short class, char *format, ...)
+ {
+@@ -1058,12 +1059,21 @@ int add_resource_record(struct dns_header *header, char *limit, int *truncp, int
+   unsigned short usval;
+   long lval;
+   char *sval;
+#define CHECK_LIMIT(size) \
+  if (limit && p + (size) > (unsigned char*)limit) \
+    { \
+      va_end(ap); \
+      goto truncated; \
+    }
+ 
+   if (truncp && *truncp)
+     return 0;
+- 
+
+   va_start(ap, format);   /* make ap point to 1st unamed argument */
+-  
+
+  /* nameoffset (1 or 2) + type (2) + class (2) + ttl (4) + 0 (2) */
+  CHECK_LIMIT(12);
+
+   if (nameoffset > 0)
+     {
+       PUTSHORT(nameoffset | 0xc000, p);
+@@ -1072,7 +1082,13 @@ int add_resource_record(struct dns_header *header, char *limit, int *truncp, int
+     {
+       char *name = va_arg(ap, char *);
+       if (name)
+-       p = do_rfc1035_name(p, name);
+       p = do_rfc1035_name(p, name, limit);
+        if (!p)
+          {
+            va_end(ap);
+            goto truncated;
+          }
+
+       if (nameoffset < 0)
+        {
+          PUTSHORT(-nameoffset | 0xc000, p);
+@@ -1093,6 +1109,7 @@ int add_resource_record(struct dns_header *header, char *limit, int *truncp, int
+       {
+ #ifdef HAVE_IPV6
+       case '6':
+        CHECK_LIMIT(IN6ADDRSZ);
+        sval = va_arg(ap, char *); 
+        memcpy(p, sval, IN6ADDRSZ);
+        p += IN6ADDRSZ;
+@@ -1100,36 +1117,47 @@ int add_resource_record(struct dns_header *header, char *limit, int *truncp, int
+ #endif
+        
+       case '4':
+        CHECK_LIMIT(INADDRSZ);
+        sval = va_arg(ap, char *); 
+        memcpy(p, sval, INADDRSZ);
+        p += INADDRSZ;
+        break;
+        
+       case 'b':
+        CHECK_LIMIT(1);
+        usval = va_arg(ap, int);
+        *p++ = usval;
+        break;
+        
+       case 's':
+        CHECK_LIMIT(2);
+        usval = va_arg(ap, int);
+        PUTSHORT(usval, p);
+        break;
+        
+       case 'l':
+        CHECK_LIMIT(4);
+        lval = va_arg(ap, long);
+        PUTLONG(lval, p);
+        break;
+        
+       case 'd':
+-       /* get domain-name answer arg and store it in RDATA field */
+-       if (offset)
+-         *offset = p - (unsigned char *)header;
+-       p = do_rfc1035_name(p, va_arg(ap, char *));
+-       *p++ = 0;
+        /* get domain-name answer arg and store it in RDATA field */
+        if (offset)
+          *offset = p - (unsigned char *)header;
+        p = do_rfc1035_name(p, va_arg(ap, char *), limit);
+        if (!p)
+          {
+            va_end(ap);
+            goto truncated;
+          }
+        CHECK_LIMIT(1);
+        *p++ = 0;
+        break;
+        
+       case 't':
+        usval = va_arg(ap, int);
+        CHECK_LIMIT(usval);
+        sval = va_arg(ap, char *);
+        if (usval != 0)
+          memcpy(p, sval, usval);
+@@ -1141,20 +1169,24 @@ int add_resource_record(struct dns_header *header, char *limit, int *truncp, int
+        usval = sval ? strlen(sval) : 0;
+        if (usval > 255)
+          usval = 255;
+        CHECK_LIMIT(usval + 1);
+        *p++ = (unsigned char)usval;
+        memcpy(p, sval, usval);
+        p += usval;
+        break;
+       }
+ 
+#undef CHECK_LIMIT
+   va_end(ap);  /* clean up variable argument pointer */
+   
+   j = p - sav - 2;
+-  PUTSHORT(j, sav);     /* Now, store real RDLength */
+ /* this has already been checked against limit before */
+ PUTSHORT(j, sav);     /* Now, store real RDLength */
+   
+   /* check for overflow of buffer */
+   if (limit && ((unsigned char *)limit - p) < 0)
+     {
+truncated:
+       if (truncp)
+        *truncp = 1;
+       return 0;
+diff --git a/src/rfc2131.c b/src/rfc2131.c
+index b7c167e..0dffd36 100644
+--- a/src/rfc2131.c
+++ b/src/rfc2131.c
+@@ -2419,10 +2419,10 @@ static void do_options(struct dhcp_context *context,
+ 
+              if (fqdn_flags & 0x04)
+                {
+-                 p = do_rfc1035_name(p, hostname);
+                 p = do_rfc1035_name(p, hostname, NULL);
+                  if (domain)
+                    {
+-                     p = do_rfc1035_name(p, domain);
+                     p = do_rfc1035_name(p, domain, NULL);
+                      *p++ = 0;
+                    }
+                }
+diff --git a/src/rfc3315.c b/src/rfc3315.c
+index 3f4d69c..73bdee4 100644
+--- a/src/rfc3315.c
+++ b/src/rfc3315.c
+@@ -1472,10 +1472,10 @@ static struct dhcp_netid *add_options(struct state *state, int do_refresh)
+       if ((p = expand(len + 2)))
+        {
+          *(p++) = state->fqdn_flags;
+-         p = do_rfc1035_name(p, state->hostname);
+         p = do_rfc1035_name(p, state->hostname, NULL);
+          if (state->send_domain)
+            {
+-             p = do_rfc1035_name(p, state->send_domain);
+             p = do_rfc1035_name(p, state->send_domain, NULL);
+              *p = 0;
+            }
+        }
+diff --git a/src/util.c b/src/util.c
+index 93b24f5..a377e6f 100644
+--- a/src/util.c
+++ b/src/util.c
+@@ -218,15 +218,20 @@ char *canonicalise(char *in, int *nomem)
+   return ret;
+ }
+ 
+-unsigned char *do_rfc1035_name(unsigned char *p, char *sval)
+unsigned char *do_rfc1035_name(unsigned char *p, char *sval, char *limit)
+ {
+   int j;
+   
+   while (sval && *sval)
+     {
+      if (limit && p + 1 > (unsigned char*)limit)
+        return p;
+
+       unsigned char *cp = p++;
+       for (j = 0; *sval && (*sval != '.'); sval++, j++)
+        {
+          if (limit && p + 1 > (unsigned char*)limit)
+            return p;
+ #ifdef HAVE_DNSSEC
+          if (option_bool(OPT_DNSSEC_VALID) && *sval == NAME_ESCAPE)
+            *p++ = (*(++sval))-1;
+-- 
+2.11.0
diff --git a/meta-networking/recipes-support/dnsmasq/dnsmasq/dnsmasq-CVE-2017-14492.patch b/meta-networking/recipes-support/dnsmasq/dnsmasq/dnsmasq-CVE-2017-14492.patch
new file mode 100644
index 000000000..19949314c
--- /dev/null
+++ b/meta-networking/recipes-support/dnsmasq/dnsmasq/dnsmasq-CVE-2017-14492.patch
@@ -0,0 +1,37 @@
+From 6a0e7dbac67a8393e4505e593e5c46544c53eae0 Mon Sep 17 00:00:00 2001
+From: Simon Kelley <simon@thekelleys.org.uk>
+Date: Mon, 25 Sep 2017 18:47:15 +0100
+Subject: [PATCH 2/7] Security fix, CVE-2017-14492, DHCPv6 RA heap overflow.
+commit 24036ea507862c7b7898b68289c8130f85599c10 upstream
+git://thekelleys.org.uk/dnsmasq
+Fix heap overflow in IPv6 router advertisement code.
+This is a potentially serious security hole, as a
+crafted RA request can overflow a buffer and crash or
+control dnsmasq. Attacker must be on the local network.
+Upstream-Status: Backport
+Signed-off-by: Zhang Xiao <xiao.zhang@windriver.com>
+---
+ src/radv.c | 3 +++
+ 1 file changed, 3 insertions(+)
+diff --git a/src/radv.c b/src/radv.c
+index 749b666..d09fe0e 100644
+--- a/src/radv.c
+++ b/src/radv.c
+@@ -198,6 +198,9 @@ void icmp6_packet(time_t now)
+       /* look for link-layer address option for logging */
+       if (sz >= 16 && packet[8] == ICMP6_OPT_SOURCE_MAC && (packet[9] * 8) + 8 <= sz)
+        {
+         if ((packet[9] * 8 - 2) * 3 - 1 >= MAXDNAME) {
+           return;
+         }
+          print_mac(daemon->namebuff, &packet[10], (packet[9] * 8) - 2);
+          mac = daemon->namebuff;
+        }
+-- 
+2.11.0
diff --git a/meta-networking/recipes-support/dnsmasq/dnsmasq/dnsmasq-CVE-2017-14493.patch b/meta-networking/recipes-support/dnsmasq/dnsmasq/dnsmasq-CVE-2017-14493.patch
new file mode 100644
index 000000000..ae99cf49a
--- /dev/null
+++ b/meta-networking/recipes-support/dnsmasq/dnsmasq/dnsmasq-CVE-2017-14493.patch
@@ -0,0 +1,37 @@
+From f23f4be3cb72d307806e3d3ca14779f69ac5494c Mon Sep 17 00:00:00 2001
+From: Simon Kelley <simon@thekelleys.org.uk>
+Date: Mon, 25 Sep 2017 18:52:50 +0100
+Subject: [PATCH 3/7] Security fix, CVE-2017-14493, DHCPv6 - Stack buffer
+ overflow.
+commit 3d4ff1ba8419546490b464418223132529514033 upstream
+git://thekelleys.org.uk/dnsmasq
+Fix stack overflow in DHCPv6 code. An attacker who can send
+a DHCPv6 request to dnsmasq can overflow the stack frame and
+crash or control dnsmasq.
+Upstream-Status: Backport
+Signed-off-by: Zhang Xiao <xiao.zhang@windriver.com>
+---
+ src/rfc3315.c | 3 +++
+ 1 file changed, 3 insertions(+)
+diff --git a/src/rfc3315.c b/src/rfc3315.c
+index 73bdee4..8d18a28 100644
+--- a/src/rfc3315.c
+++ b/src/rfc3315.c
+@@ -206,6 +206,9 @@ static int dhcp6_maybe_relay(struct state *state, void *inbuff, size_t sz,
+   /* RFC-6939 */
+   if ((opt = opt6_find(opts, end, OPTION6_CLIENT_MAC, 3)))
+     {
+      if (opt6_len(opt) - 2 > DHCP_CHADDR_MAX) {
+        return 0;
+      }
+       state->mac_type = opt6_uint(opt, 0, 2);
+       state->mac_len = opt6_len(opt) - 2;
+       memcpy(&state->mac[0], opt6_ptr(opt, 2), state->mac_len);
+-- 
+2.11.0
diff --git a/meta-networking/recipes-support/dnsmasq/dnsmasq/dnsmasq-CVE-2017-14494.patch b/meta-networking/recipes-support/dnsmasq/dnsmasq/dnsmasq-CVE-2017-14494.patch
new file mode 100644
index 000000000..a6f0e2abe
--- /dev/null
+++ b/meta-networking/recipes-support/dnsmasq/dnsmasq/dnsmasq-CVE-2017-14494.patch
@@ -0,0 +1,37 @@
+From aba3f8df87d104d599920ea44e96191601638961 Mon Sep 17 00:00:00 2001
+From: Simon Kelley <simon@thekelleys.org.uk>
+Date: Mon, 25 Sep 2017 20:05:11 +0100
+Subject: [PATCH 4/7] Security fix, CVE-2017-14494, Infoleak handling DHCPv6
+ forwarded requests.
+commit 33e3f1029c9ec6c63e430ff51063a6301d4b2262 upstream
+git://thekelleys.org.uk/dnsmasq
+Fix information leak in DHCPv6. A crafted DHCPv6 packet can
+cause dnsmasq to forward memory from outside the packet
+buffer to a DHCPv6 server when acting as a relay.
+Upstream-Status: Backport
+Signed-off-by: Zhang Xiao <xiao.zhang@windriver.com>
+---
+ src/rfc3315.c | 3 +++
+ 1 file changed, 3 insertions(+)
+diff --git a/src/rfc3315.c b/src/rfc3315.c
+index 8d18a28..03b3f84 100644
+--- a/src/rfc3315.c
+++ b/src/rfc3315.c
+@@ -216,6 +216,9 @@ static int dhcp6_maybe_relay(struct state *state, void *inbuff, size_t sz,
+   
+   for (opt = opts; opt; opt = opt6_next(opt, end))
+     {
+      if (opt6_ptr(opt, 0) + opt6_len(opt) >= end) {
+        return 0;
+      }
+       int o = new_opt6(opt6_type(opt));
+       if (opt6_type(opt) == OPTION6_RELAY_MSG)
+        {
+-- 
+2.11.0
diff --git a/meta-networking/recipes-support/dnsmasq/dnsmasq/dnsmasq-CVE-2017-14495.patch b/meta-networking/recipes-support/dnsmasq/dnsmasq/dnsmasq-CVE-2017-14495.patch
new file mode 100644
index 000000000..31014d102
--- /dev/null
+++ b/meta-networking/recipes-support/dnsmasq/dnsmasq/dnsmasq-CVE-2017-14495.patch
@@ -0,0 +1,48 @@
+From e4ae220ee00dcad20a716432badd3210b442ddb4 Mon Sep 17 00:00:00 2001
+From: Simon Kelley <simon@thekelleys.org.uk>
+Date: Mon, 25 Sep 2017 20:16:50 +0100
+Subject: [PATCH 6/7] Security fix, CVE-2017-14495, OOM in DNS response
+ creation.
+commit 51eadb692a5123b9838e5a68ecace3ac579a3a45 upstream
+git://thekelleys.org.uk/dnsmasq
+Fix out-of-memory Dos vulnerability. An attacker which can
+send malicious DNS queries to dnsmasq can trigger memory
+allocations in the add_pseudoheader function
+The allocated memory is never freed which leads to a DoS
+through memory exhaustion. dnsmasq is vulnerable only
+if one of the following option is specified:
+--add-mac, --add-cpe-id or --add-subnet.
+Upstream-Status: Backport
+Signed-off-by: Zhang Xiao <xiao.zhang@windriver.com>
+---
+ src/edns0.c | 8 +++++++-
+ 1 file changed, 7 insertions(+), 1 deletion(-)
+diff --git a/src/edns0.c b/src/edns0.c
+index a2ef0ea..f48c084 100644
+--- a/src/edns0.c
+++ b/src/edns0.c
+@@ -192,9 +192,15 @@ size_t add_pseudoheader(struct dns_header *header, size_t plen, unsigned char *l
+          !(p = skip_section(p, 
+                             ntohs(header->ancount) + ntohs(header->nscount) + ntohs(header->arcount), 
+                             header, plen)))
+      {
+       free(buff);
+        return plen;
+      }
+       if (p + 11 > limit)
+-       return plen; /* Too big */
+      {
+        free(buff);
+        return plen; /* Too big */
+      }
+       *p++ = 0; /* empty name */
+       PUTSHORT(T_OPT, p);
+       PUTSHORT(udp_sz, p); /* max packet length, 512 if not given in EDNS0 header */
+-- 
+2.11.0
diff --git a/meta-networking/recipes-support/dnsmasq/dnsmasq/dnsmasq-CVE-2017-14496.patch b/meta-networking/recipes-support/dnsmasq/dnsmasq/dnsmasq-CVE-2017-14496.patch
new file mode 100644
index 000000000..fc50ef084
--- /dev/null
+++ b/meta-networking/recipes-support/dnsmasq/dnsmasq/dnsmasq-CVE-2017-14496.patch
@@ -0,0 +1,73 @@
+From c25545680679a12d78dd80662ed1bc5d97a38d6d Mon Sep 17 00:00:00 2001
+From: Simon Kelley <simon@thekelleys.org.uk>
+Date: Mon, 25 Sep 2017 20:11:58 +0100
+Subject: [PATCH 5/7] Security fix, CVE-2017-14496, Integer underflow in DNS
+ response creation.
+commit 897c113fda0886a28a986cc6ba17bb93bd6cb1c7 upstream
+git://thekelleys.org.uk/dnsmasq
+Fix DoS in DNS. Invalid boundary checks in the
+add_pseudoheader function allows a memcpy call with negative
+size An attacker which can send malicious DNS queries
+to dnsmasq can trigger a DoS remotely.
+dnsmasq is vulnerable only if one of the following option is
+specified: --add-mac, --add-cpe-id or --add-subnet.
+Upstream-Status: Backport
+Signed-off-by: Zhang Xiao <xiao.zhang@windriver.com>
+---
+ src/edns0.c | 13 ++++++++++++-
+ 1 file changed, 12 insertions(+), 1 deletion(-)
+diff --git a/src/edns0.c b/src/edns0.c
+index c7a101e..a2ef0ea 100644
+--- a/src/edns0.c
+++ b/src/edns0.c
+@@ -144,7 +144,7 @@ size_t add_pseudoheader(struct dns_header *header, size_t plen, unsigned char *l
+          GETSHORT(len, p);
+          
+          /* malformed option, delete the whole OPT RR and start again. */
+-         if (i + len > rdlen)
+         if (i + 4 + len > rdlen)
+            {
+              rdlen = 0;
+              is_last = 0;
+@@ -193,6 +193,8 @@ size_t add_pseudoheader(struct dns_header *header, size_t plen, unsigned char *l
+                             ntohs(header->ancount) + ntohs(header->nscount) + ntohs(header->arcount), 
+                             header, plen)))
+        return plen;
+      if (p + 11 > limit)
+       return plen; /* Too big */
+       *p++ = 0; /* empty name */
+       PUTSHORT(T_OPT, p);
+       PUTSHORT(udp_sz, p); /* max packet length, 512 if not given in EDNS0 header */
+@@ -204,6 +206,11 @@ size_t add_pseudoheader(struct dns_header *header, size_t plen, unsigned char *l
+       /* Copy back any options */
+       if (buff)
+        {
+          if (p + rdlen > limit)
+          {
+            free(buff);
+            return plen; /* Too big */
+          }
+          memcpy(p, buff, rdlen);
+          free(buff);
+          p += rdlen;
+@@ -217,8 +224,12 @@ size_t add_pseudoheader(struct dns_header *header, size_t plen, unsigned char *l
+   /* Add new option */
+   if (optno != 0 && replace != 2)
+     {
+      if (p + 4 > limit)
+       return plen; /* Too big */
+       PUTSHORT(optno, p);
+       PUTSHORT(optlen, p);
+      if (p + optlen > limit)
+       return plen; /* Too big */
+       memcpy(p, opt, optlen);
+       p += optlen;  
+       PUTSHORT(p - datap, lenp);
+-- 
+2.11.0
diff --git a/meta-networking/recipes-support/dnsmasq/dnsmasq_2.76.bb b/meta-networking/recipes-support/dnsmasq/dnsmasq_2.76.bb
index 41573d9dd..5b68d98f8 100644
--- a/meta-networking/recipes-support/dnsmasq/dnsmasq_2.76.bb
+++ b/meta-networking/recipes-support/dnsmasq/dnsmasq_2.76.bb
@@ -2,6 +2,13 @@ require dnsmasq.inc
 SRC_URI += "\
    file://lua.patch \
+    file://dnsmasq-CVE-2017-14491.patch \
+    file://dnsmasq-CVE-2017-14492.patch \
+    file://dnsmasq-CVE-2017-14493.patch \
+    file://dnsmasq-CVE-2017-14494.patch \
+    file://dnsmasq-CVE-2017-14496.patch \
+    file://dnsmasq-CVE-2017-14495.patch \
+    file://dnsmasq-CVE-2017-14491-02.patch \
 "
 SRC_URI[dnsmasq-2.76.md5sum] = "6610f8233ca89b15a1bb47c788ffb84f"
author	Zhang Xiao <xiao.zhang@windriver.com>	2018-05-04 15:04:33 -0700
committer	Armin Kuster <akuster808@gmail.com>	2018-05-28 19:08:25 -0700
commit	997caf9146cd3797cd054e2adebd1fbb4df91911 (patch)
tree	5d5988e851ef380998840df86af7a5b799107bc9
parent	2628a2ccacc3bb0256df97ef4b0245f685485c78 (diff)
download	meta-openembedded-morty-next.tar.gz

diff --git a/meta-networking/recipes-support/dnsmasq/dnsmasq/dnsmasq-CVE-2017-14491-02.patch b/meta-networking/recipes-support/dnsmasq/dnsmasq/dnsmasq-CVE-2017-14491-02.patch new file mode 100644 index 000000000..3e73feb68 --- /dev/null +++ b/meta-networking/recipes-support/dnsmasq/dnsmasq/dnsmasq-CVE-2017-14491-02.patch
@@ -0,0 +1,75 @@
		1	From e441ac5247cf8252ac8db08d53862af4065d9586 Mon Sep 17 00:00:00 2001
		2	From: Simon Kelley <simon@thekelleys.org.uk>
		3	Date: Tue, 26 Sep 2017 22:00:11 +0100
		4	Subject: [PATCH 7/7] Security fix, CVE-2017-14491, DNS heap buffer overflow.
		5
		6	commit 62cb936cb7ad5f219715515ae7d32dd281a5aa1f upstream
		7	git://thekelleys.org.uk/dnsmasq
		8
		9	Further fix to 0549c73b7ea6b22a3c49beb4d432f185a81efcbc
		10	Handles case when RR name is not a pointer to the question,
		11	only occurs for some auth-mode replies, therefore not
		12	detected by fuzzing (?)
		13
		14	Upstream-Status: Backport
		15
		16	Signed-off-by: Zhang Xiao <xiao.zhang@windriver.com>
		17	---
		18	src/rfc1035.c \| 27 +++++++++++++++------------
		19	1 file changed, 15 insertions(+), 12 deletions(-)
		20
		21	diff --git a/src/rfc1035.c b/src/rfc1035.c
		22	index 78410d6..e5628ba 100644
		23	--- a/src/rfc1035.c
		24	+++ b/src/rfc1035.c
		25	@@ -1071,32 +1071,35 @@ int add_resource_record(struct dns_header header, char limit, int *truncp, int
		26
		27	va_start(ap, format); /* make ap point to 1st unamed argument */
		28
		29	- /* nameoffset (1 or 2) + type (2) + class (2) + ttl (4) + 0 (2) */
		30	- CHECK_LIMIT(12);
		31	-
		32	if (nameoffset > 0)
		33	{
		34	+ CHECK_LIMIT(2);
		35	PUTSHORT(nameoffset \| 0xc000, p);
		36	}
		37	else
		38	{
		39	char name = va_arg(ap, char );
		40	- if (name)
		41	- p = do_rfc1035_name(p, name, limit);
		42	- if (!p)
		43	- {
		44	- va_end(ap);
		45	- goto truncated;
		46	- }
		47	-
		48	+ if (name && !(p = do_rfc1035_name(p, name, limit)))
		49	+ {
		50	+ va_end(ap);
		51	+ goto truncated;
		52	+ }
		53	+
		54	if (nameoffset < 0)
		55	{
		56	+ CHECK_LIMIT(2);
		57	PUTSHORT(-nameoffset \| 0xc000, p);
		58	}
		59	else
		60	- *p++ = 0;
		61	+ {
		62	+ CHECK_LIMIT(1);
		63	+ *p++ = 0;
		64	+ }
		65	}
		66
		67	+ /* type (2) + class (2) + ttl (4) + rdlen (2) */
		68	+ CHECK_LIMIT(10);
		69	+
		70	PUTSHORT(type, p);
		71	PUTSHORT(class, p);
		72	PUTLONG(ttl, p); /* TTL */
		73	--
		74	2.11.0
		75


diff --git a/meta-networking/recipes-support/dnsmasq/dnsmasq/dnsmasq-CVE-2017-14491.patch b/meta-networking/recipes-support/dnsmasq/dnsmasq/dnsmasq-CVE-2017-14491.patch new file mode 100644 index 000000000..05986788d --- /dev/null +++ b/meta-networking/recipes-support/dnsmasq/dnsmasq/dnsmasq-CVE-2017-14491.patch
@@ -0,0 +1,268 @@
		1	From 8644f7c99c5e2fde6b6872a4ab820d3520f44e24 Mon Sep 17 00:00:00 2001
		2	From: Simon Kelley <simon@thekelleys.org.uk>
		3	Date: Mon, 25 Sep 2017 18:17:11 +0100
		4	Subject: [PATCH 1/7] Security fix, CVE-2017-14491 DNS heap buffer overflow.
		5
		6	commit 0549c73b7ea6b22a3c49beb4d432f185a81efcbc upstream
		7	git://thekelleys.org.uk/dnsmasq
		8
		9	Fix heap overflow in DNS code. This is a potentially serious
		10	security hole. It allows an attacker who can make DNS
		11	requests to dnsmasq, and who controls the contents of
		12	a domain, which is thereby queried, to overflow
		13	(by 2 bytes) a heap buffer and either crash, or
		14	even take control of, dnsmasq.
		15
		16	Upstream-Status: Backport
		17
		18	Signed-off-by: Zhang Xiao <xiao.zhang@windriver.com>
		19	---
		20	src/dnsmasq.h \| 2 +-
		21	src/dnssec.c \| 2 +-
		22	src/option.c \| 2 +-
		23	src/rfc1035.c \| 50 +++++++++++++++++++++++++++++++++++++++++---------
		24	src/rfc2131.c \| 4 ++--
		25	src/rfc3315.c \| 4 ++--
		26	src/util.c \| 7 ++++++-
		27	7 files changed, 54 insertions(+), 17 deletions(-)
		28
		29	diff --git a/src/dnsmasq.h b/src/dnsmasq.h
		30	index 1896a64..ed5da36 100644
		31	--- a/src/dnsmasq.h
		32	+++ b/src/dnsmasq.h
		33	@@ -1161,7 +1161,7 @@ u32 rand32(void);
		34	u64 rand64(void);
		35	int legal_hostname(char *c);
		36	char canonicalise(char s, int *nomem);
		37	-unsigned char do_rfc1035_name(unsigned char p, char *sval);
		38	+unsigned char do_rfc1035_name(unsigned char p, char sval, char limit);
		39	void *safe_malloc(size_t size);
		40	void safe_pipe(int *fd, int read_noblock);
		41	void *whine_malloc(size_t size);
		42	diff --git a/src/dnssec.c b/src/dnssec.c
		43	index 3c77c7d..f45c804 100644
		44	--- a/src/dnssec.c
		45	+++ b/src/dnssec.c
		46	@@ -2227,7 +2227,7 @@ size_t dnssec_generate_query(struct dns_header header, unsigned char end, char
		47
		48	p = (unsigned char *)(header+1);
		49
		50	- p = do_rfc1035_name(p, name);
		51	+ p = do_rfc1035_name(p, name, NULL);
		52	*p++ = 0;
		53	PUTSHORT(type, p);
		54	PUTSHORT(class, p);
		55	diff --git a/src/option.c b/src/option.c
		56	index d8c57d6..0e1c326 100644
		57	--- a/src/option.c
		58	+++ b/src/option.c
		59	@@ -1378,7 +1378,7 @@ static int parse_dhcp_opt(char errstr, char arg, int flags)
		60	}
		61
		62	p = newp;
		63	- end = do_rfc1035_name(p + len, dom);
		64	+ end = do_rfc1035_name(p + len, dom, NULL);
		65	*end++ = 0;
		66	len = end - p;
		67	free(dom);
		68	diff --git a/src/rfc1035.c b/src/rfc1035.c
		69	index 24d08c1..78410d6 100644
		70	--- a/src/rfc1035.c
		71	+++ b/src/rfc1035.c
		72	@@ -1049,6 +1049,7 @@ int check_for_ignored_address(struct dns_header *header, size_t qlen, struct bog
		73	return 0;
		74	}
		75
		76	+
		77	int add_resource_record(struct dns_header header, char limit, int truncp, int nameoffset, unsigned char *pp,
		78	unsigned long ttl, int offset, unsigned short type, unsigned short class, char format, ...)
		79	{
		80	@@ -1058,12 +1059,21 @@ int add_resource_record(struct dns_header header, char limit, int *truncp, int
		81	unsigned short usval;
		82	long lval;
		83	char *sval;
		84	+#define CHECK_LIMIT(size) \
		85	+ if (limit && p + (size) > (unsigned char*)limit) \
		86	+ { \
		87	+ va_end(ap); \
		88	+ goto truncated; \
		89	+ }
		90
		91	if (truncp && *truncp)
		92	return 0;
		93	-
		94	+
		95	va_start(ap, format); /* make ap point to 1st unamed argument */
		96	-
		97	+
		98	+ /* nameoffset (1 or 2) + type (2) + class (2) + ttl (4) + 0 (2) */
		99	+ CHECK_LIMIT(12);
		100	+
		101	if (nameoffset > 0)
		102	{
		103	PUTSHORT(nameoffset \| 0xc000, p);
		104	@@ -1072,7 +1082,13 @@ int add_resource_record(struct dns_header header, char limit, int *truncp, int
		105	{
		106	char name = va_arg(ap, char );
		107	if (name)
		108	- p = do_rfc1035_name(p, name);
		109	+ p = do_rfc1035_name(p, name, limit);
		110	+ if (!p)
		111	+ {
		112	+ va_end(ap);
		113	+ goto truncated;
		114	+ }
		115	+
		116	if (nameoffset < 0)
		117	{
		118	PUTSHORT(-nameoffset \| 0xc000, p);
		119	@@ -1093,6 +1109,7 @@ int add_resource_record(struct dns_header header, char limit, int *truncp, int
		120	{
		121	#ifdef HAVE_IPV6
		122	case '6':
		123	+ CHECK_LIMIT(IN6ADDRSZ);
		124	sval = va_arg(ap, char *);
		125	memcpy(p, sval, IN6ADDRSZ);
		126	p += IN6ADDRSZ;
		127	@@ -1100,36 +1117,47 @@ int add_resource_record(struct dns_header header, char limit, int *truncp, int
		128	#endif
		129
		130	case '4':
		131	+ CHECK_LIMIT(INADDRSZ);
		132	sval = va_arg(ap, char *);
		133	memcpy(p, sval, INADDRSZ);
		134	p += INADDRSZ;
		135	break;
		136
		137	case 'b':
		138	+ CHECK_LIMIT(1);
		139	usval = va_arg(ap, int);
		140	*p++ = usval;
		141	break;
		142
		143	case 's':
		144	+ CHECK_LIMIT(2);
		145	usval = va_arg(ap, int);
		146	PUTSHORT(usval, p);
		147	break;
		148
		149	case 'l':
		150	+ CHECK_LIMIT(4);
		151	lval = va_arg(ap, long);
		152	PUTLONG(lval, p);
		153	break;
		154
		155	case 'd':
		156	- /* get domain-name answer arg and store it in RDATA field */
		157	- if (offset)
		158	- offset = p - (unsigned char )header;
		159	- p = do_rfc1035_name(p, va_arg(ap, char *));
		160	- *p++ = 0;
		161	+ /* get domain-name answer arg and store it in RDATA field */
		162	+ if (offset)
		163	+ offset = p - (unsigned char )header;
		164	+ p = do_rfc1035_name(p, va_arg(ap, char *), limit);
		165	+ if (!p)
		166	+ {
		167	+ va_end(ap);
		168	+ goto truncated;
		169	+ }
		170	+ CHECK_LIMIT(1);
		171	+ *p++ = 0;
		172	break;
		173
		174	case 't':
		175	usval = va_arg(ap, int);
		176	+ CHECK_LIMIT(usval);
		177	sval = va_arg(ap, char *);
		178	if (usval != 0)
		179	memcpy(p, sval, usval);
		180	@@ -1141,20 +1169,24 @@ int add_resource_record(struct dns_header header, char limit, int *truncp, int
		181	usval = sval ? strlen(sval) : 0;
		182	if (usval > 255)
		183	usval = 255;
		184	+ CHECK_LIMIT(usval + 1);
		185	*p++ = (unsigned char)usval;
		186	memcpy(p, sval, usval);
		187	p += usval;
		188	break;
		189	}
		190
		191	+#undef CHECK_LIMIT
		192	va_end(ap); /* clean up variable argument pointer */
		193
		194	j = p - sav - 2;
		195	- PUTSHORT(j, sav); /* Now, store real RDLength */
		196	+ /* this has already been checked against limit before */
		197	+ PUTSHORT(j, sav); /* Now, store real RDLength */
		198
		199	/* check for overflow of buffer */
		200	if (limit && ((unsigned char *)limit - p) < 0)
		201	{
		202	+truncated:
		203	if (truncp)
		204	*truncp = 1;
		205	return 0;
		206	diff --git a/src/rfc2131.c b/src/rfc2131.c
		207	index b7c167e..0dffd36 100644
		208	--- a/src/rfc2131.c
		209	+++ b/src/rfc2131.c
		210	@@ -2419,10 +2419,10 @@ static void do_options(struct dhcp_context *context,
		211
		212	if (fqdn_flags & 0x04)
		213	{
		214	- p = do_rfc1035_name(p, hostname);
		215	+ p = do_rfc1035_name(p, hostname, NULL);
		216	if (domain)
		217	{
		218	- p = do_rfc1035_name(p, domain);
		219	+ p = do_rfc1035_name(p, domain, NULL);
		220	*p++ = 0;
		221	}
		222	}
		223	diff --git a/src/rfc3315.c b/src/rfc3315.c
		224	index 3f4d69c..73bdee4 100644
		225	--- a/src/rfc3315.c
		226	+++ b/src/rfc3315.c
		227	@@ -1472,10 +1472,10 @@ static struct dhcp_netid add_options(struct state state, int do_refresh)
		228	if ((p = expand(len + 2)))
		229	{
		230	*(p++) = state->fqdn_flags;
		231	- p = do_rfc1035_name(p, state->hostname);
		232	+ p = do_rfc1035_name(p, state->hostname, NULL);
		233	if (state->send_domain)
		234	{
		235	- p = do_rfc1035_name(p, state->send_domain);
		236	+ p = do_rfc1035_name(p, state->send_domain, NULL);
		237	*p = 0;
		238	}
		239	}
		240	diff --git a/src/util.c b/src/util.c
		241	index 93b24f5..a377e6f 100644
		242	--- a/src/util.c
		243	+++ b/src/util.c
		244	@@ -218,15 +218,20 @@ char canonicalise(char in, int *nomem)
		245	return ret;
		246	}
		247
		248	-unsigned char do_rfc1035_name(unsigned char p, char *sval)
		249	+unsigned char do_rfc1035_name(unsigned char p, char sval, char limit)
		250	{
		251	int j;
		252
		253	while (sval && *sval)
		254	{
		255	+ if (limit && p + 1 > (unsigned char*)limit)
		256	+ return p;
		257	+
		258	unsigned char *cp = p++;
		259	for (j = 0; sval && (sval != '.'); sval++, j++)
		260	{
		261	+ if (limit && p + 1 > (unsigned char*)limit)
		262	+ return p;
		263	#ifdef HAVE_DNSSEC
		264	if (option_bool(OPT_DNSSEC_VALID) && *sval == NAME_ESCAPE)
		265	p++ = ((++sval))-1;
		266	--
		267	2.11.0
		268


diff --git a/meta-networking/recipes-support/dnsmasq/dnsmasq/dnsmasq-CVE-2017-14492.patch b/meta-networking/recipes-support/dnsmasq/dnsmasq/dnsmasq-CVE-2017-14492.patch new file mode 100644 index 000000000..19949314c --- /dev/null +++ b/meta-networking/recipes-support/dnsmasq/dnsmasq/dnsmasq-CVE-2017-14492.patch
@@ -0,0 +1,37 @@
		1	From 6a0e7dbac67a8393e4505e593e5c46544c53eae0 Mon Sep 17 00:00:00 2001
		2	From: Simon Kelley <simon@thekelleys.org.uk>
		3	Date: Mon, 25 Sep 2017 18:47:15 +0100
		4	Subject: [PATCH 2/7] Security fix, CVE-2017-14492, DHCPv6 RA heap overflow.
		5
		6	commit 24036ea507862c7b7898b68289c8130f85599c10 upstream
		7	git://thekelleys.org.uk/dnsmasq
		8
		9	Fix heap overflow in IPv6 router advertisement code.
		10	This is a potentially serious security hole, as a
		11	crafted RA request can overflow a buffer and crash or
		12	control dnsmasq. Attacker must be on the local network.
		13
		14	Upstream-Status: Backport
		15
		16	Signed-off-by: Zhang Xiao <xiao.zhang@windriver.com>
		17	---
		18	src/radv.c \| 3 +++
		19	1 file changed, 3 insertions(+)
		20
		21	diff --git a/src/radv.c b/src/radv.c
		22	index 749b666..d09fe0e 100644
		23	--- a/src/radv.c
		24	+++ b/src/radv.c
		25	@@ -198,6 +198,9 @@ void icmp6_packet(time_t now)
		26	/* look for link-layer address option for logging */
		27	if (sz >= 16 && packet[8] == ICMP6_OPT_SOURCE_MAC && (packet[9] * 8) + 8 <= sz)
		28	{
		29	+ if ((packet[9] * 8 - 2) * 3 - 1 >= MAXDNAME) {
		30	+ return;
		31	+ }
		32	print_mac(daemon->namebuff, &packet[10], (packet[9] * 8) - 2);
		33	mac = daemon->namebuff;
		34	}
		35	--
		36	2.11.0
		37


diff --git a/meta-networking/recipes-support/dnsmasq/dnsmasq/dnsmasq-CVE-2017-14493.patch b/meta-networking/recipes-support/dnsmasq/dnsmasq/dnsmasq-CVE-2017-14493.patch new file mode 100644 index 000000000..ae99cf49a --- /dev/null +++ b/meta-networking/recipes-support/dnsmasq/dnsmasq/dnsmasq-CVE-2017-14493.patch
@@ -0,0 +1,37 @@
		1	From f23f4be3cb72d307806e3d3ca14779f69ac5494c Mon Sep 17 00:00:00 2001
		2	From: Simon Kelley <simon@thekelleys.org.uk>
		3	Date: Mon, 25 Sep 2017 18:52:50 +0100
		4	Subject: [PATCH 3/7] Security fix, CVE-2017-14493, DHCPv6 - Stack buffer
		5	overflow.
		6
		7	commit 3d4ff1ba8419546490b464418223132529514033 upstream
		8	git://thekelleys.org.uk/dnsmasq
		9
		10	Fix stack overflow in DHCPv6 code. An attacker who can send
		11	a DHCPv6 request to dnsmasq can overflow the stack frame and
		12	crash or control dnsmasq.
		13
		14	Upstream-Status: Backport
		15
		16	Signed-off-by: Zhang Xiao <xiao.zhang@windriver.com>
		17	---
		18	src/rfc3315.c \| 3 +++
		19	1 file changed, 3 insertions(+)
		20
		21	diff --git a/src/rfc3315.c b/src/rfc3315.c
		22	index 73bdee4..8d18a28 100644
		23	--- a/src/rfc3315.c
		24	+++ b/src/rfc3315.c
		25	@@ -206,6 +206,9 @@ static int dhcp6_maybe_relay(struct state state, void inbuff, size_t sz,
		26	/* RFC-6939 */
		27	if ((opt = opt6_find(opts, end, OPTION6_CLIENT_MAC, 3)))
		28	{
		29	+ if (opt6_len(opt) - 2 > DHCP_CHADDR_MAX) {
		30	+ return 0;
		31	+ }
		32	state->mac_type = opt6_uint(opt, 0, 2);
		33	state->mac_len = opt6_len(opt) - 2;
		34	memcpy(&state->mac[0], opt6_ptr(opt, 2), state->mac_len);
		35	--
		36	2.11.0
		37


diff --git a/meta-networking/recipes-support/dnsmasq/dnsmasq/dnsmasq-CVE-2017-14494.patch b/meta-networking/recipes-support/dnsmasq/dnsmasq/dnsmasq-CVE-2017-14494.patch new file mode 100644 index 000000000..a6f0e2abe --- /dev/null +++ b/meta-networking/recipes-support/dnsmasq/dnsmasq/dnsmasq-CVE-2017-14494.patch
@@ -0,0 +1,37 @@
		1	From aba3f8df87d104d599920ea44e96191601638961 Mon Sep 17 00:00:00 2001
		2	From: Simon Kelley <simon@thekelleys.org.uk>
		3	Date: Mon, 25 Sep 2017 20:05:11 +0100
		4	Subject: [PATCH 4/7] Security fix, CVE-2017-14494, Infoleak handling DHCPv6
		5	forwarded requests.
		6
		7	commit 33e3f1029c9ec6c63e430ff51063a6301d4b2262 upstream
		8	git://thekelleys.org.uk/dnsmasq
		9
		10	Fix information leak in DHCPv6. A crafted DHCPv6 packet can
		11	cause dnsmasq to forward memory from outside the packet
		12	buffer to a DHCPv6 server when acting as a relay.
		13
		14	Upstream-Status: Backport
		15
		16	Signed-off-by: Zhang Xiao <xiao.zhang@windriver.com>
		17	---
		18	src/rfc3315.c \| 3 +++
		19	1 file changed, 3 insertions(+)
		20
		21	diff --git a/src/rfc3315.c b/src/rfc3315.c
		22	index 8d18a28..03b3f84 100644
		23	--- a/src/rfc3315.c
		24	+++ b/src/rfc3315.c
		25	@@ -216,6 +216,9 @@ static int dhcp6_maybe_relay(struct state state, void inbuff, size_t sz,
		26
		27	for (opt = opts; opt; opt = opt6_next(opt, end))
		28	{
		29	+ if (opt6_ptr(opt, 0) + opt6_len(opt) >= end) {
		30	+ return 0;
		31	+ }
		32	int o = new_opt6(opt6_type(opt));
		33	if (opt6_type(opt) == OPTION6_RELAY_MSG)
		34	{
		35	--
		36	2.11.0
		37


diff --git a/meta-networking/recipes-support/dnsmasq/dnsmasq/dnsmasq-CVE-2017-14495.patch b/meta-networking/recipes-support/dnsmasq/dnsmasq/dnsmasq-CVE-2017-14495.patch new file mode 100644 index 000000000..31014d102 --- /dev/null +++ b/meta-networking/recipes-support/dnsmasq/dnsmasq/dnsmasq-CVE-2017-14495.patch
@@ -0,0 +1,48 @@
		1	From e4ae220ee00dcad20a716432badd3210b442ddb4 Mon Sep 17 00:00:00 2001
		2	From: Simon Kelley <simon@thekelleys.org.uk>
		3	Date: Mon, 25 Sep 2017 20:16:50 +0100
		4	Subject: [PATCH 6/7] Security fix, CVE-2017-14495, OOM in DNS response
		5	creation.
		6
		7	commit 51eadb692a5123b9838e5a68ecace3ac579a3a45 upstream
		8	git://thekelleys.org.uk/dnsmasq
		9
		10	Fix out-of-memory Dos vulnerability. An attacker which can
		11	send malicious DNS queries to dnsmasq can trigger memory
		12	allocations in the add_pseudoheader function
		13	The allocated memory is never freed which leads to a DoS
		14	through memory exhaustion. dnsmasq is vulnerable only
		15	if one of the following option is specified:
		16	--add-mac, --add-cpe-id or --add-subnet.
		17
		18	Upstream-Status: Backport
		19
		20	Signed-off-by: Zhang Xiao <xiao.zhang@windriver.com>
		21	---
		22	src/edns0.c \| 8 +++++++-
		23	1 file changed, 7 insertions(+), 1 deletion(-)
		24
		25	diff --git a/src/edns0.c b/src/edns0.c
		26	index a2ef0ea..f48c084 100644
		27	--- a/src/edns0.c
		28	+++ b/src/edns0.c
		29	@@ -192,9 +192,15 @@ size_t add_pseudoheader(struct dns_header header, size_t plen, unsigned char l
		30	!(p = skip_section(p,
		31	ntohs(header->ancount) + ntohs(header->nscount) + ntohs(header->arcount),
		32	header, plen)))
		33	+ {
		34	+ free(buff);
		35	return plen;
		36	+ }
		37	if (p + 11 > limit)
		38	- return plen; /* Too big */
		39	+ {
		40	+ free(buff);
		41	+ return plen; /* Too big */
		42	+ }
		43	p++ = 0; / empty name */
		44	PUTSHORT(T_OPT, p);
		45	PUTSHORT(udp_sz, p); /* max packet length, 512 if not given in EDNS0 header */
		46	--
		47	2.11.0
		48


diff --git a/meta-networking/recipes-support/dnsmasq/dnsmasq/dnsmasq-CVE-2017-14496.patch b/meta-networking/recipes-support/dnsmasq/dnsmasq/dnsmasq-CVE-2017-14496.patch new file mode 100644 index 000000000..fc50ef084 --- /dev/null +++ b/meta-networking/recipes-support/dnsmasq/dnsmasq/dnsmasq-CVE-2017-14496.patch
@@ -0,0 +1,73 @@
		1	From c25545680679a12d78dd80662ed1bc5d97a38d6d Mon Sep 17 00:00:00 2001
		2	From: Simon Kelley <simon@thekelleys.org.uk>
		3	Date: Mon, 25 Sep 2017 20:11:58 +0100
		4	Subject: [PATCH 5/7] Security fix, CVE-2017-14496, Integer underflow in DNS
		5	response creation.
		6
		7	commit 897c113fda0886a28a986cc6ba17bb93bd6cb1c7 upstream
		8	git://thekelleys.org.uk/dnsmasq
		9
		10	Fix DoS in DNS. Invalid boundary checks in the
		11	add_pseudoheader function allows a memcpy call with negative
		12	size An attacker which can send malicious DNS queries
		13	to dnsmasq can trigger a DoS remotely.
		14	dnsmasq is vulnerable only if one of the following option is
		15	specified: --add-mac, --add-cpe-id or --add-subnet.
		16
		17	Upstream-Status: Backport
		18
		19	Signed-off-by: Zhang Xiao <xiao.zhang@windriver.com>
		20	---
		21	src/edns0.c \| 13 ++++++++++++-
		22	1 file changed, 12 insertions(+), 1 deletion(-)
		23
		24	diff --git a/src/edns0.c b/src/edns0.c
		25	index c7a101e..a2ef0ea 100644
		26	--- a/src/edns0.c
		27	+++ b/src/edns0.c
		28	@@ -144,7 +144,7 @@ size_t add_pseudoheader(struct dns_header header, size_t plen, unsigned char l
		29	GETSHORT(len, p);
		30
		31	/* malformed option, delete the whole OPT RR and start again. */
		32	- if (i + len > rdlen)
		33	+ if (i + 4 + len > rdlen)
		34	{
		35	rdlen = 0;
		36	is_last = 0;
		37	@@ -193,6 +193,8 @@ size_t add_pseudoheader(struct dns_header header, size_t plen, unsigned char l
		38	ntohs(header->ancount) + ntohs(header->nscount) + ntohs(header->arcount),
		39	header, plen)))
		40	return plen;
		41	+ if (p + 11 > limit)
		42	+ return plen; /* Too big */
		43	p++ = 0; / empty name */
		44	PUTSHORT(T_OPT, p);
		45	PUTSHORT(udp_sz, p); /* max packet length, 512 if not given in EDNS0 header */
		46	@@ -204,6 +206,11 @@ size_t add_pseudoheader(struct dns_header header, size_t plen, unsigned char l
		47	/* Copy back any options */
		48	if (buff)
		49	{
		50	+ if (p + rdlen > limit)
		51	+ {
		52	+ free(buff);
		53	+ return plen; /* Too big */
		54	+ }
		55	memcpy(p, buff, rdlen);
		56	free(buff);
		57	p += rdlen;
		58	@@ -217,8 +224,12 @@ size_t add_pseudoheader(struct dns_header header, size_t plen, unsigned char l
		59	/* Add new option */
		60	if (optno != 0 && replace != 2)
		61	{
		62	+ if (p + 4 > limit)
		63	+ return plen; /* Too big */
		64	PUTSHORT(optno, p);
		65	PUTSHORT(optlen, p);
		66	+ if (p + optlen > limit)
		67	+ return plen; /* Too big */
		68	memcpy(p, opt, optlen);
		69	p += optlen;
		70	PUTSHORT(p - datap, lenp);
		71	--
		72	2.11.0
		73


diff --git a/meta-networking/recipes-support/dnsmasq/dnsmasq_2.76.bb b/meta-networking/recipes-support/dnsmasq/dnsmasq_2.76.bb index 41573d9dd..5b68d98f8 100644 --- a/meta-networking/recipes-support/dnsmasq/dnsmasq_2.76.bb +++ b/meta-networking/recipes-support/dnsmasq/dnsmasq_2.76.bb
@@ -2,6 +2,13 @@ require dnsmasq.inc
2		2
3	SRC_URI += "\	3	SRC_URI += "\
4	file://lua.patch \	4	file://lua.patch \
		5	file://dnsmasq-CVE-2017-14491.patch \
		6	file://dnsmasq-CVE-2017-14492.patch \
		7	file://dnsmasq-CVE-2017-14493.patch \
		8	file://dnsmasq-CVE-2017-14494.patch \
		9	file://dnsmasq-CVE-2017-14496.patch \
		10	file://dnsmasq-CVE-2017-14495.patch \
		11	file://dnsmasq-CVE-2017-14491-02.patch \
5	"	12	"
6		13
7	SRC_URI[dnsmasq-2.76.md5sum] = "6610f8233ca89b15a1bb47c788ffb84f"	14	SRC_URI[dnsmasq-2.76.md5sum] = "6610f8233ca89b15a1bb47c788ffb84f"