diff options
Diffstat (limited to 'meta-networking/recipes-support/dnsmasq/dnsmasq/dnsmasq-CVE-2017-14491-02.patch')
-rw-r--r-- | meta-networking/recipes-support/dnsmasq/dnsmasq/dnsmasq-CVE-2017-14491-02.patch | 75 |
1 files changed, 75 insertions, 0 deletions
diff --git a/meta-networking/recipes-support/dnsmasq/dnsmasq/dnsmasq-CVE-2017-14491-02.patch b/meta-networking/recipes-support/dnsmasq/dnsmasq/dnsmasq-CVE-2017-14491-02.patch new file mode 100644 index 000000000..3e73feb68 --- /dev/null +++ b/meta-networking/recipes-support/dnsmasq/dnsmasq/dnsmasq-CVE-2017-14491-02.patch | |||
@@ -0,0 +1,75 @@ | |||
1 | From e441ac5247cf8252ac8db08d53862af4065d9586 Mon Sep 17 00:00:00 2001 | ||
2 | From: Simon Kelley <simon@thekelleys.org.uk> | ||
3 | Date: Tue, 26 Sep 2017 22:00:11 +0100 | ||
4 | Subject: [PATCH 7/7] Security fix, CVE-2017-14491, DNS heap buffer overflow. | ||
5 | |||
6 | commit 62cb936cb7ad5f219715515ae7d32dd281a5aa1f upstream | ||
7 | git://thekelleys.org.uk/dnsmasq | ||
8 | |||
9 | Further fix to 0549c73b7ea6b22a3c49beb4d432f185a81efcbc | ||
10 | Handles case when RR name is not a pointer to the question, | ||
11 | only occurs for some auth-mode replies, therefore not | ||
12 | detected by fuzzing (?) | ||
13 | |||
14 | Upstream-Status: Backport | ||
15 | |||
16 | Signed-off-by: Zhang Xiao <xiao.zhang@windriver.com> | ||
17 | --- | ||
18 | src/rfc1035.c | 27 +++++++++++++++------------ | ||
19 | 1 file changed, 15 insertions(+), 12 deletions(-) | ||
20 | |||
21 | diff --git a/src/rfc1035.c b/src/rfc1035.c | ||
22 | index 78410d6..e5628ba 100644 | ||
23 | --- a/src/rfc1035.c | ||
24 | +++ b/src/rfc1035.c | ||
25 | @@ -1071,32 +1071,35 @@ int add_resource_record(struct dns_header *header, char *limit, int *truncp, int | ||
26 | |||
27 | va_start(ap, format); /* make ap point to 1st unamed argument */ | ||
28 | |||
29 | - /* nameoffset (1 or 2) + type (2) + class (2) + ttl (4) + 0 (2) */ | ||
30 | - CHECK_LIMIT(12); | ||
31 | - | ||
32 | if (nameoffset > 0) | ||
33 | { | ||
34 | + CHECK_LIMIT(2); | ||
35 | PUTSHORT(nameoffset | 0xc000, p); | ||
36 | } | ||
37 | else | ||
38 | { | ||
39 | char *name = va_arg(ap, char *); | ||
40 | - if (name) | ||
41 | - p = do_rfc1035_name(p, name, limit); | ||
42 | - if (!p) | ||
43 | - { | ||
44 | - va_end(ap); | ||
45 | - goto truncated; | ||
46 | - } | ||
47 | - | ||
48 | + if (name && !(p = do_rfc1035_name(p, name, limit))) | ||
49 | + { | ||
50 | + va_end(ap); | ||
51 | + goto truncated; | ||
52 | + } | ||
53 | + | ||
54 | if (nameoffset < 0) | ||
55 | { | ||
56 | + CHECK_LIMIT(2); | ||
57 | PUTSHORT(-nameoffset | 0xc000, p); | ||
58 | } | ||
59 | else | ||
60 | - *p++ = 0; | ||
61 | + { | ||
62 | + CHECK_LIMIT(1); | ||
63 | + *p++ = 0; | ||
64 | + } | ||
65 | } | ||
66 | |||
67 | + /* type (2) + class (2) + ttl (4) + rdlen (2) */ | ||
68 | + CHECK_LIMIT(10); | ||
69 | + | ||
70 | PUTSHORT(type, p); | ||
71 | PUTSHORT(class, p); | ||
72 | PUTLONG(ttl, p); /* TTL */ | ||
73 | -- | ||
74 | 2.11.0 | ||
75 | |||