diff options
author | wangmy <wangmy@fujitsu.com> | 2022-09-27 16:21:20 +0800 |
---|---|---|
committer | Khem Raj <raj.khem@gmail.com> | 2022-09-27 10:04:35 -0700 |
commit | 79ed6782a66590d769a516d8b4c15a4330bf7515 (patch) | |
tree | 3027ad8e0ef6b905a889bd51f45b53ccce11cca4 | |
parent | c58be76cbf3a84342c273babf048b60c94a882af (diff) | |
download | meta-openembedded-79ed6782a66590d769a516d8b4c15a4330bf7515.tar.gz |
dnsmasq: upgrade 2.86 -> 2.87
License-Update : format of License file changed.
CVE-2022-0934.patch
deleted since it's included in 2.87.
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
4 files changed, 10 insertions, 201 deletions
diff --git a/meta-networking/recipes-support/dnsmasq/dnsmasq.inc b/meta-networking/recipes-support/dnsmasq/dnsmasq.inc index 136c65d8f..a8ff21a12 100644 --- a/meta-networking/recipes-support/dnsmasq/dnsmasq.inc +++ b/meta-networking/recipes-support/dnsmasq/dnsmasq.inc | |||
@@ -3,8 +3,9 @@ HOMEPAGE = "http://www.thekelleys.org.uk/dnsmasq/doc.html" | |||
3 | SECTION = "net" | 3 | SECTION = "net" |
4 | # GPLv3 was added in version 2.41 as license option | 4 | # GPLv3 was added in version 2.41 as license option |
5 | LICENSE = "GPL-2.0-only | GPL-3.0-only" | 5 | LICENSE = "GPL-2.0-only | GPL-3.0-only" |
6 | LIC_FILES_CHKSUM = "file://COPYING;md5=0636e73ff0215e8d672dc4c32c317bb3 \ | 6 | LIC_FILES_CHKSUM = "file://COPYING;md5=b234ee4d69f5fce4486a80fdaf4a4263 \ |
7 | file://COPYING-v3;md5=d32239bcb673463ab874e80d47fae504" | 7 | file://COPYING-v3;md5=d32239bcb673463ab874e80d47fae504 \ |
8 | " | ||
8 | 9 | ||
9 | #at least versions 2.69 and prior are moved to the archive folder on the server | 10 | #at least versions 2.69 and prior are moved to the archive folder on the server |
10 | SRC_URI = "http://www.thekelleys.org.uk/dnsmasq/${@['archive/', ''][float(d.getVar('PV').split('.')[1]) > 69]}dnsmasq-${PV}.tar.gz;name=dnsmasq-${PV} \ | 11 | SRC_URI = "http://www.thekelleys.org.uk/dnsmasq/${@['archive/', ''][float(d.getVar('PV').split('.')[1]) > 69]}dnsmasq-${PV}.tar.gz;name=dnsmasq-${PV} \ |
diff --git a/meta-networking/recipes-support/dnsmasq/dnsmasq/CVE-2022-0934.patch b/meta-networking/recipes-support/dnsmasq/dnsmasq/CVE-2022-0934.patch deleted file mode 100644 index 6bd734d75..000000000 --- a/meta-networking/recipes-support/dnsmasq/dnsmasq/CVE-2022-0934.patch +++ /dev/null | |||
@@ -1,191 +0,0 @@ | |||
1 | From 3cdecc159e0f417a2f8d43d99632af26beea630f Mon Sep 17 00:00:00 2001 | ||
2 | From: Simon Kelley <simon@thekelleys.org.uk> | ||
3 | Date: Thu, 31 Mar 2022 21:35:20 +0100 | ||
4 | Subject: [PATCH] Fix write-after-free error in DHCPv6 code. CVE-2022-0934 | ||
5 | refers. | ||
6 | |||
7 | CVE: CVE-2022-0934 | ||
8 | |||
9 | Upstream-Status: Backport | ||
10 | [https://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=commitdiff;h=03345ecefe] | ||
11 | |||
12 | Signed-off-by: Yi Zhao <yi.zhao@windriver.com> | ||
13 | --- | ||
14 | CHANGELOG | 3 +++ | ||
15 | src/rfc3315.c | 48 +++++++++++++++++++++++++++--------------------- | ||
16 | 2 files changed, 30 insertions(+), 21 deletions(-) | ||
17 | |||
18 | diff --git a/CHANGELOG b/CHANGELOG | ||
19 | index 5e54df9..a28da2a 100644 | ||
20 | --- a/CHANGELOG | ||
21 | +++ b/CHANGELOG | ||
22 | @@ -1,4 +1,7 @@ | ||
23 | version 2.86 | ||
24 | + Fix write-after-free error in DHCPv6 server code. | ||
25 | + CVE-2022-0934 refers. | ||
26 | + | ||
27 | Handle DHCPREBIND requests in the DHCPv6 server code. | ||
28 | Thanks to Aichun Li for spotting this omission, and the initial | ||
29 | patch. | ||
30 | diff --git a/src/rfc3315.c b/src/rfc3315.c | ||
31 | index 5c2ff97..6ecfeeb 100644 | ||
32 | --- a/src/rfc3315.c | ||
33 | +++ b/src/rfc3315.c | ||
34 | @@ -33,9 +33,9 @@ struct state { | ||
35 | unsigned int mac_len, mac_type; | ||
36 | }; | ||
37 | |||
38 | -static int dhcp6_maybe_relay(struct state *state, void *inbuff, size_t sz, | ||
39 | +static int dhcp6_maybe_relay(struct state *state, unsigned char *inbuff, size_t sz, | ||
40 | struct in6_addr *client_addr, int is_unicast, time_t now); | ||
41 | -static int dhcp6_no_relay(struct state *state, int msg_type, void *inbuff, size_t sz, int is_unicast, time_t now); | ||
42 | +static int dhcp6_no_relay(struct state *state, int msg_type, unsigned char *inbuff, size_t sz, int is_unicast, time_t now); | ||
43 | static void log6_opts(int nest, unsigned int xid, void *start_opts, void *end_opts); | ||
44 | static void log6_packet(struct state *state, char *type, struct in6_addr *addr, char *string); | ||
45 | static void log6_quiet(struct state *state, char *type, struct in6_addr *addr, char *string); | ||
46 | @@ -104,12 +104,12 @@ unsigned short dhcp6_reply(struct dhcp_context *context, int interface, char *if | ||
47 | } | ||
48 | |||
49 | /* This cost me blood to write, it will probably cost you blood to understand - srk. */ | ||
50 | -static int dhcp6_maybe_relay(struct state *state, void *inbuff, size_t sz, | ||
51 | +static int dhcp6_maybe_relay(struct state *state, unsigned char *inbuff, size_t sz, | ||
52 | struct in6_addr *client_addr, int is_unicast, time_t now) | ||
53 | { | ||
54 | void *end = inbuff + sz; | ||
55 | void *opts = inbuff + 34; | ||
56 | - int msg_type = *((unsigned char *)inbuff); | ||
57 | + int msg_type = *inbuff; | ||
58 | unsigned char *outmsgtypep; | ||
59 | void *opt; | ||
60 | struct dhcp_vendor *vendor; | ||
61 | @@ -259,15 +259,15 @@ static int dhcp6_maybe_relay(struct state *state, void *inbuff, size_t sz, | ||
62 | return 1; | ||
63 | } | ||
64 | |||
65 | -static int dhcp6_no_relay(struct state *state, int msg_type, void *inbuff, size_t sz, int is_unicast, time_t now) | ||
66 | +static int dhcp6_no_relay(struct state *state, int msg_type, unsigned char *inbuff, size_t sz, int is_unicast, time_t now) | ||
67 | { | ||
68 | void *opt; | ||
69 | - int i, o, o1, start_opts; | ||
70 | + int i, o, o1, start_opts, start_msg; | ||
71 | struct dhcp_opt *opt_cfg; | ||
72 | struct dhcp_netid *tagif; | ||
73 | struct dhcp_config *config = NULL; | ||
74 | struct dhcp_netid known_id, iface_id, v6_id; | ||
75 | - unsigned char *outmsgtypep; | ||
76 | + unsigned char outmsgtype; | ||
77 | struct dhcp_vendor *vendor; | ||
78 | struct dhcp_context *context_tmp; | ||
79 | struct dhcp_mac *mac_opt; | ||
80 | @@ -296,12 +296,13 @@ static int dhcp6_no_relay(struct state *state, int msg_type, void *inbuff, size_ | ||
81 | v6_id.next = state->tags; | ||
82 | state->tags = &v6_id; | ||
83 | |||
84 | - /* copy over transaction-id, and save pointer to message type */ | ||
85 | - if (!(outmsgtypep = put_opt6(inbuff, 4))) | ||
86 | + start_msg = save_counter(-1); | ||
87 | + /* copy over transaction-id */ | ||
88 | + if (!put_opt6(inbuff, 4)) | ||
89 | return 0; | ||
90 | start_opts = save_counter(-1); | ||
91 | - state->xid = outmsgtypep[3] | outmsgtypep[2] << 8 | outmsgtypep[1] << 16; | ||
92 | - | ||
93 | + state->xid = inbuff[3] | inbuff[2] << 8 | inbuff[1] << 16; | ||
94 | + | ||
95 | /* We're going to be linking tags from all context we use. | ||
96 | mark them as unused so we don't link one twice and break the list */ | ||
97 | for (context_tmp = state->context; context_tmp; context_tmp = context_tmp->current) | ||
98 | @@ -347,7 +348,7 @@ static int dhcp6_no_relay(struct state *state, int msg_type, void *inbuff, size_ | ||
99 | (msg_type == DHCP6REQUEST || msg_type == DHCP6RENEW || msg_type == DHCP6RELEASE || msg_type == DHCP6DECLINE)) | ||
100 | |||
101 | { | ||
102 | - *outmsgtypep = DHCP6REPLY; | ||
103 | + outmsgtype = DHCP6REPLY; | ||
104 | o1 = new_opt6(OPTION6_STATUS_CODE); | ||
105 | put_opt6_short(DHCP6USEMULTI); | ||
106 | put_opt6_string("Use multicast"); | ||
107 | @@ -619,11 +620,11 @@ static int dhcp6_no_relay(struct state *state, int msg_type, void *inbuff, size_ | ||
108 | struct dhcp_netid *solicit_tags; | ||
109 | struct dhcp_context *c; | ||
110 | |||
111 | - *outmsgtypep = DHCP6ADVERTISE; | ||
112 | + outmsgtype = DHCP6ADVERTISE; | ||
113 | |||
114 | if (opt6_find(state->packet_options, state->end, OPTION6_RAPID_COMMIT, 0)) | ||
115 | { | ||
116 | - *outmsgtypep = DHCP6REPLY; | ||
117 | + outmsgtype = DHCP6REPLY; | ||
118 | state->lease_allocate = 1; | ||
119 | o = new_opt6(OPTION6_RAPID_COMMIT); | ||
120 | end_opt6(o); | ||
121 | @@ -809,7 +810,7 @@ static int dhcp6_no_relay(struct state *state, int msg_type, void *inbuff, size_ | ||
122 | int start = save_counter(-1); | ||
123 | |||
124 | /* set reply message type */ | ||
125 | - *outmsgtypep = DHCP6REPLY; | ||
126 | + outmsgtype = DHCP6REPLY; | ||
127 | state->lease_allocate = 1; | ||
128 | |||
129 | log6_quiet(state, "DHCPREQUEST", NULL, ignore ? _("ignored") : NULL); | ||
130 | @@ -924,7 +925,7 @@ static int dhcp6_no_relay(struct state *state, int msg_type, void *inbuff, size_ | ||
131 | int address_assigned = 0; | ||
132 | |||
133 | /* set reply message type */ | ||
134 | - *outmsgtypep = DHCP6REPLY; | ||
135 | + outmsgtype = DHCP6REPLY; | ||
136 | |||
137 | log6_quiet(state, msg_type == DHCP6RENEW ? "DHCPRENEW" : "DHCPREBIND", NULL, NULL); | ||
138 | |||
139 | @@ -1057,7 +1058,7 @@ static int dhcp6_no_relay(struct state *state, int msg_type, void *inbuff, size_ | ||
140 | int good_addr = 0; | ||
141 | |||
142 | /* set reply message type */ | ||
143 | - *outmsgtypep = DHCP6REPLY; | ||
144 | + outmsgtype = DHCP6REPLY; | ||
145 | |||
146 | log6_quiet(state, "DHCPCONFIRM", NULL, NULL); | ||
147 | |||
148 | @@ -1121,7 +1122,7 @@ static int dhcp6_no_relay(struct state *state, int msg_type, void *inbuff, size_ | ||
149 | log6_quiet(state, "DHCPINFORMATION-REQUEST", NULL, ignore ? _("ignored") : state->hostname); | ||
150 | if (ignore) | ||
151 | return 0; | ||
152 | - *outmsgtypep = DHCP6REPLY; | ||
153 | + outmsgtype = DHCP6REPLY; | ||
154 | tagif = add_options(state, 1); | ||
155 | break; | ||
156 | } | ||
157 | @@ -1130,7 +1131,7 @@ static int dhcp6_no_relay(struct state *state, int msg_type, void *inbuff, size_ | ||
158 | case DHCP6RELEASE: | ||
159 | { | ||
160 | /* set reply message type */ | ||
161 | - *outmsgtypep = DHCP6REPLY; | ||
162 | + outmsgtype = DHCP6REPLY; | ||
163 | |||
164 | log6_quiet(state, "DHCPRELEASE", NULL, NULL); | ||
165 | |||
166 | @@ -1195,7 +1196,7 @@ static int dhcp6_no_relay(struct state *state, int msg_type, void *inbuff, size_ | ||
167 | case DHCP6DECLINE: | ||
168 | { | ||
169 | /* set reply message type */ | ||
170 | - *outmsgtypep = DHCP6REPLY; | ||
171 | + outmsgtype = DHCP6REPLY; | ||
172 | |||
173 | log6_quiet(state, "DHCPDECLINE", NULL, NULL); | ||
174 | |||
175 | @@ -1275,7 +1276,12 @@ static int dhcp6_no_relay(struct state *state, int msg_type, void *inbuff, size_ | ||
176 | } | ||
177 | |||
178 | } | ||
179 | - | ||
180 | + | ||
181 | + /* Fill in the message type. Note that we store the offset, | ||
182 | + not a direct pointer, since the packet memory may have been | ||
183 | + reallocated. */ | ||
184 | + ((unsigned char *)(daemon->outpacket.iov_base))[start_msg] = outmsgtype; | ||
185 | + | ||
186 | log_tags(tagif, state->xid); | ||
187 | log6_opts(0, state->xid, daemon->outpacket.iov_base + start_opts, daemon->outpacket.iov_base + save_counter(-1)); | ||
188 | |||
189 | -- | ||
190 | 2.25.1 | ||
191 | |||
diff --git a/meta-networking/recipes-support/dnsmasq/dnsmasq_2.86.bb b/meta-networking/recipes-support/dnsmasq/dnsmasq_2.86.bb deleted file mode 100644 index 0f7880ce8..000000000 --- a/meta-networking/recipes-support/dnsmasq/dnsmasq_2.86.bb +++ /dev/null | |||
@@ -1,8 +0,0 @@ | |||
1 | require dnsmasq.inc | ||
2 | |||
3 | SRC_URI[dnsmasq-2.86.sha256sum] = "ef15f608a83ee2b1d1d2c1f11d089a7e0ac401ffb0991de73fc01ce5f290e512" | ||
4 | SRC_URI += "\ | ||
5 | file://lua.patch \ | ||
6 | file://CVE-2022-0934.patch \ | ||
7 | " | ||
8 | |||
diff --git a/meta-networking/recipes-support/dnsmasq/dnsmasq_2.87.bb b/meta-networking/recipes-support/dnsmasq/dnsmasq_2.87.bb new file mode 100644 index 000000000..793b61d71 --- /dev/null +++ b/meta-networking/recipes-support/dnsmasq/dnsmasq_2.87.bb | |||
@@ -0,0 +1,7 @@ | |||
1 | require dnsmasq.inc | ||
2 | |||
3 | SRC_URI[dnsmasq-2.87.sha256sum] = "ae39bffde9c37e4d64849b528afeb060be6bad6d1044a3bd94a49fce41357284" | ||
4 | SRC_URI += "\ | ||
5 | file://lua.patch \ | ||
6 | " | ||
7 | |||