1 files changed, 75 insertions, 0 deletions
diff --git a/meta-networking/recipes-support/dnsmasq/dnsmasq/dnsmasq-CVE-2017-14491-02.patch b/meta-networking/recipes-support/dnsmasq/dnsmasq/dnsmasq-CVE-2017-14491-02.patch
new file mode 100644
index 000000000..3e73feb68
--- /dev/null
+++ b/meta-networking/recipes-support/dnsmasq/dnsmasq/dnsmasq-CVE-2017-14491-02.patch
@@ -0,0 +1,75 @@
+From e441ac5247cf8252ac8db08d53862af4065d9586 Mon Sep 17 00:00:00 2001
+From: Simon Kelley <simon@thekelleys.org.uk>
+Date: Tue, 26 Sep 2017 22:00:11 +0100
+Subject: [PATCH 7/7] Security fix, CVE-2017-14491, DNS heap buffer overflow.
+commit 62cb936cb7ad5f219715515ae7d32dd281a5aa1f upstream
+git://thekelleys.org.uk/dnsmasq
+Further fix to 0549c73b7ea6b22a3c49beb4d432f185a81efcbc
+Handles case when RR name is not a pointer to the question,
+only occurs for some auth-mode replies, therefore not
+detected by fuzzing (?)
+Upstream-Status: Backport
+Signed-off-by: Zhang Xiao <xiao.zhang@windriver.com>
+---
+ src/rfc1035.c | 27 +++++++++++++++------------
+ 1 file changed, 15 insertions(+), 12 deletions(-)
+diff --git a/src/rfc1035.c b/src/rfc1035.c
+index 78410d6..e5628ba 100644
+--- a/src/rfc1035.c
+++ b/src/rfc1035.c
+@@ -1071,32 +1071,35 @@ int add_resource_record(struct dns_header *header, char *limit, int *truncp, int
+ 
+   va_start(ap, format);   /* make ap point to 1st unamed argument */
+ 
+-  /* nameoffset (1 or 2) + type (2) + class (2) + ttl (4) + 0 (2) */
+-  CHECK_LIMIT(12);
+-
+   if (nameoffset > 0)
+     {
+      CHECK_LIMIT(2);
+       PUTSHORT(nameoffset | 0xc000, p);
+     }
+   else
+     {
+       char *name = va_arg(ap, char *);
+-      if (name)
+-       p = do_rfc1035_name(p, name, limit);
+-        if (!p)
+-          {
+-            va_end(ap);
+-            goto truncated;
+-          }
+-
+      if (name && !(p = do_rfc1035_name(p, name, limit)))
+       {
+         va_end(ap);
+         goto truncated;
+       }
+      
+       if (nameoffset < 0)
+        {
+         CHECK_LIMIT(2);
+          PUTSHORT(-nameoffset | 0xc000, p);
+        }
+       else
+-       *p++ = 0;
+       {
+         CHECK_LIMIT(1);
+         *p++ = 0;
+       }
+     }
+ 
+  /* type (2) + class (2) + ttl (4) + rdlen (2) */
+  CHECK_LIMIT(10);
+  
+   PUTSHORT(type, p);
+   PUTSHORT(class, p);
+   PUTLONG(ttl, p);      /* TTL */
+-- 
+2.11.0

diff --git a/meta-networking/recipes-support/dnsmasq/dnsmasq/dnsmasq-CVE-2017-14491-02.patch b/meta-networking/recipes-support/dnsmasq/dnsmasq/dnsmasq-CVE-2017-14491-02.patch new file mode 100644 index 000000000..3e73feb68 --- /dev/null +++ b/meta-networking/recipes-support/dnsmasq/dnsmasq/dnsmasq-CVE-2017-14491-02.patch
@@ -0,0 +1,75 @@
	1	From e441ac5247cf8252ac8db08d53862af4065d9586 Mon Sep 17 00:00:00 2001
	2	From: Simon Kelley <simon@thekelleys.org.uk>
	3	Date: Tue, 26 Sep 2017 22:00:11 +0100
	4	Subject: [PATCH 7/7] Security fix, CVE-2017-14491, DNS heap buffer overflow.
	5
	6	commit 62cb936cb7ad5f219715515ae7d32dd281a5aa1f upstream
	7	git://thekelleys.org.uk/dnsmasq
	8
	9	Further fix to 0549c73b7ea6b22a3c49beb4d432f185a81efcbc
	10	Handles case when RR name is not a pointer to the question,
	11	only occurs for some auth-mode replies, therefore not
	12	detected by fuzzing (?)
	13
	14	Upstream-Status: Backport
	15
	16	Signed-off-by: Zhang Xiao <xiao.zhang@windriver.com>
	17	---
	18	src/rfc1035.c \| 27 +++++++++++++++------------
	19	1 file changed, 15 insertions(+), 12 deletions(-)
	20
	21	diff --git a/src/rfc1035.c b/src/rfc1035.c
	22	index 78410d6..e5628ba 100644
	23	--- a/src/rfc1035.c
	24	+++ b/src/rfc1035.c
	25	@@ -1071,32 +1071,35 @@ int add_resource_record(struct dns_header header, char limit, int *truncp, int
	26
	27	va_start(ap, format); /* make ap point to 1st unamed argument */
	28
	29	- /* nameoffset (1 or 2) + type (2) + class (2) + ttl (4) + 0 (2) */
	30	- CHECK_LIMIT(12);
	31	-
	32	if (nameoffset > 0)
	33	{
	34	+ CHECK_LIMIT(2);
	35	PUTSHORT(nameoffset \| 0xc000, p);
	36	}
	37	else
	38	{
	39	char name = va_arg(ap, char );
	40	- if (name)
	41	- p = do_rfc1035_name(p, name, limit);
	42	- if (!p)
	43	- {
	44	- va_end(ap);
	45	- goto truncated;
	46	- }
	47	-
	48	+ if (name && !(p = do_rfc1035_name(p, name, limit)))
	49	+ {
	50	+ va_end(ap);
	51	+ goto truncated;
	52	+ }
	53	+
	54	if (nameoffset < 0)
	55	{
	56	+ CHECK_LIMIT(2);
	57	PUTSHORT(-nameoffset \| 0xc000, p);
	58	}
	59	else
	60	- *p++ = 0;
	61	+ {
	62	+ CHECK_LIMIT(1);
	63	+ *p++ = 0;
	64	+ }
	65	}
	66
	67	+ /* type (2) + class (2) + ttl (4) + rdlen (2) */
	68	+ CHECK_LIMIT(10);
	69	+
	70	PUTSHORT(type, p);
	71	PUTSHORT(class, p);
	72	PUTLONG(ttl, p); /* TTL */
	73	--
	74	2.11.0
	75