diff options
Diffstat (limited to 'meta-networking/recipes-support/dnsmasq/dnsmasq/dnsmasq-CVE-2017-14495.patch')
-rw-r--r-- | meta-networking/recipes-support/dnsmasq/dnsmasq/dnsmasq-CVE-2017-14495.patch | 48 |
1 files changed, 48 insertions, 0 deletions
diff --git a/meta-networking/recipes-support/dnsmasq/dnsmasq/dnsmasq-CVE-2017-14495.patch b/meta-networking/recipes-support/dnsmasq/dnsmasq/dnsmasq-CVE-2017-14495.patch new file mode 100644 index 000000000..31014d102 --- /dev/null +++ b/meta-networking/recipes-support/dnsmasq/dnsmasq/dnsmasq-CVE-2017-14495.patch | |||
@@ -0,0 +1,48 @@ | |||
1 | From e4ae220ee00dcad20a716432badd3210b442ddb4 Mon Sep 17 00:00:00 2001 | ||
2 | From: Simon Kelley <simon@thekelleys.org.uk> | ||
3 | Date: Mon, 25 Sep 2017 20:16:50 +0100 | ||
4 | Subject: [PATCH 6/7] Security fix, CVE-2017-14495, OOM in DNS response | ||
5 | creation. | ||
6 | |||
7 | commit 51eadb692a5123b9838e5a68ecace3ac579a3a45 upstream | ||
8 | git://thekelleys.org.uk/dnsmasq | ||
9 | |||
10 | Fix out-of-memory Dos vulnerability. An attacker which can | ||
11 | send malicious DNS queries to dnsmasq can trigger memory | ||
12 | allocations in the add_pseudoheader function | ||
13 | The allocated memory is never freed which leads to a DoS | ||
14 | through memory exhaustion. dnsmasq is vulnerable only | ||
15 | if one of the following option is specified: | ||
16 | --add-mac, --add-cpe-id or --add-subnet. | ||
17 | |||
18 | Upstream-Status: Backport | ||
19 | |||
20 | Signed-off-by: Zhang Xiao <xiao.zhang@windriver.com> | ||
21 | --- | ||
22 | src/edns0.c | 8 +++++++- | ||
23 | 1 file changed, 7 insertions(+), 1 deletion(-) | ||
24 | |||
25 | diff --git a/src/edns0.c b/src/edns0.c | ||
26 | index a2ef0ea..f48c084 100644 | ||
27 | --- a/src/edns0.c | ||
28 | +++ b/src/edns0.c | ||
29 | @@ -192,9 +192,15 @@ size_t add_pseudoheader(struct dns_header *header, size_t plen, unsigned char *l | ||
30 | !(p = skip_section(p, | ||
31 | ntohs(header->ancount) + ntohs(header->nscount) + ntohs(header->arcount), | ||
32 | header, plen))) | ||
33 | + { | ||
34 | + free(buff); | ||
35 | return plen; | ||
36 | + } | ||
37 | if (p + 11 > limit) | ||
38 | - return plen; /* Too big */ | ||
39 | + { | ||
40 | + free(buff); | ||
41 | + return plen; /* Too big */ | ||
42 | + } | ||
43 | *p++ = 0; /* empty name */ | ||
44 | PUTSHORT(T_OPT, p); | ||
45 | PUTSHORT(udp_sz, p); /* max packet length, 512 if not given in EDNS0 header */ | ||
46 | -- | ||
47 | 2.11.0 | ||
48 | |||