diff options
Diffstat (limited to 'meta-networking/recipes-support/dnsmasq/dnsmasq/dnsmasq-CVE-2017-14496.patch')
-rw-r--r-- | meta-networking/recipes-support/dnsmasq/dnsmasq/dnsmasq-CVE-2017-14496.patch | 73 |
1 files changed, 73 insertions, 0 deletions
diff --git a/meta-networking/recipes-support/dnsmasq/dnsmasq/dnsmasq-CVE-2017-14496.patch b/meta-networking/recipes-support/dnsmasq/dnsmasq/dnsmasq-CVE-2017-14496.patch new file mode 100644 index 000000000..fc50ef084 --- /dev/null +++ b/meta-networking/recipes-support/dnsmasq/dnsmasq/dnsmasq-CVE-2017-14496.patch | |||
@@ -0,0 +1,73 @@ | |||
1 | From c25545680679a12d78dd80662ed1bc5d97a38d6d Mon Sep 17 00:00:00 2001 | ||
2 | From: Simon Kelley <simon@thekelleys.org.uk> | ||
3 | Date: Mon, 25 Sep 2017 20:11:58 +0100 | ||
4 | Subject: [PATCH 5/7] Security fix, CVE-2017-14496, Integer underflow in DNS | ||
5 | response creation. | ||
6 | |||
7 | commit 897c113fda0886a28a986cc6ba17bb93bd6cb1c7 upstream | ||
8 | git://thekelleys.org.uk/dnsmasq | ||
9 | |||
10 | Fix DoS in DNS. Invalid boundary checks in the | ||
11 | add_pseudoheader function allows a memcpy call with negative | ||
12 | size An attacker which can send malicious DNS queries | ||
13 | to dnsmasq can trigger a DoS remotely. | ||
14 | dnsmasq is vulnerable only if one of the following option is | ||
15 | specified: --add-mac, --add-cpe-id or --add-subnet. | ||
16 | |||
17 | Upstream-Status: Backport | ||
18 | |||
19 | Signed-off-by: Zhang Xiao <xiao.zhang@windriver.com> | ||
20 | --- | ||
21 | src/edns0.c | 13 ++++++++++++- | ||
22 | 1 file changed, 12 insertions(+), 1 deletion(-) | ||
23 | |||
24 | diff --git a/src/edns0.c b/src/edns0.c | ||
25 | index c7a101e..a2ef0ea 100644 | ||
26 | --- a/src/edns0.c | ||
27 | +++ b/src/edns0.c | ||
28 | @@ -144,7 +144,7 @@ size_t add_pseudoheader(struct dns_header *header, size_t plen, unsigned char *l | ||
29 | GETSHORT(len, p); | ||
30 | |||
31 | /* malformed option, delete the whole OPT RR and start again. */ | ||
32 | - if (i + len > rdlen) | ||
33 | + if (i + 4 + len > rdlen) | ||
34 | { | ||
35 | rdlen = 0; | ||
36 | is_last = 0; | ||
37 | @@ -193,6 +193,8 @@ size_t add_pseudoheader(struct dns_header *header, size_t plen, unsigned char *l | ||
38 | ntohs(header->ancount) + ntohs(header->nscount) + ntohs(header->arcount), | ||
39 | header, plen))) | ||
40 | return plen; | ||
41 | + if (p + 11 > limit) | ||
42 | + return plen; /* Too big */ | ||
43 | *p++ = 0; /* empty name */ | ||
44 | PUTSHORT(T_OPT, p); | ||
45 | PUTSHORT(udp_sz, p); /* max packet length, 512 if not given in EDNS0 header */ | ||
46 | @@ -204,6 +206,11 @@ size_t add_pseudoheader(struct dns_header *header, size_t plen, unsigned char *l | ||
47 | /* Copy back any options */ | ||
48 | if (buff) | ||
49 | { | ||
50 | + if (p + rdlen > limit) | ||
51 | + { | ||
52 | + free(buff); | ||
53 | + return plen; /* Too big */ | ||
54 | + } | ||
55 | memcpy(p, buff, rdlen); | ||
56 | free(buff); | ||
57 | p += rdlen; | ||
58 | @@ -217,8 +224,12 @@ size_t add_pseudoheader(struct dns_header *header, size_t plen, unsigned char *l | ||
59 | /* Add new option */ | ||
60 | if (optno != 0 && replace != 2) | ||
61 | { | ||
62 | + if (p + 4 > limit) | ||
63 | + return plen; /* Too big */ | ||
64 | PUTSHORT(optno, p); | ||
65 | PUTSHORT(optlen, p); | ||
66 | + if (p + optlen > limit) | ||
67 | + return plen; /* Too big */ | ||
68 | memcpy(p, opt, optlen); | ||
69 | p += optlen; | ||
70 | PUTSHORT(p - datap, lenp); | ||
71 | -- | ||
72 | 2.11.0 | ||
73 | |||