diff options
Diffstat (limited to 'meta-networking/recipes-support/dnsmasq/dnsmasq')
7 files changed, 575 insertions, 0 deletions
diff --git a/meta-networking/recipes-support/dnsmasq/dnsmasq/dnsmasq-CVE-2017-14491-02.patch b/meta-networking/recipes-support/dnsmasq/dnsmasq/dnsmasq-CVE-2017-14491-02.patch new file mode 100644 index 000000000..3e73feb68 --- /dev/null +++ b/meta-networking/recipes-support/dnsmasq/dnsmasq/dnsmasq-CVE-2017-14491-02.patch | |||
@@ -0,0 +1,75 @@ | |||
1 | From e441ac5247cf8252ac8db08d53862af4065d9586 Mon Sep 17 00:00:00 2001 | ||
2 | From: Simon Kelley <simon@thekelleys.org.uk> | ||
3 | Date: Tue, 26 Sep 2017 22:00:11 +0100 | ||
4 | Subject: [PATCH 7/7] Security fix, CVE-2017-14491, DNS heap buffer overflow. | ||
5 | |||
6 | commit 62cb936cb7ad5f219715515ae7d32dd281a5aa1f upstream | ||
7 | git://thekelleys.org.uk/dnsmasq | ||
8 | |||
9 | Further fix to 0549c73b7ea6b22a3c49beb4d432f185a81efcbc | ||
10 | Handles case when RR name is not a pointer to the question, | ||
11 | only occurs for some auth-mode replies, therefore not | ||
12 | detected by fuzzing (?) | ||
13 | |||
14 | Upstream-Status: Backport | ||
15 | |||
16 | Signed-off-by: Zhang Xiao <xiao.zhang@windriver.com> | ||
17 | --- | ||
18 | src/rfc1035.c | 27 +++++++++++++++------------ | ||
19 | 1 file changed, 15 insertions(+), 12 deletions(-) | ||
20 | |||
21 | diff --git a/src/rfc1035.c b/src/rfc1035.c | ||
22 | index 78410d6..e5628ba 100644 | ||
23 | --- a/src/rfc1035.c | ||
24 | +++ b/src/rfc1035.c | ||
25 | @@ -1071,32 +1071,35 @@ int add_resource_record(struct dns_header *header, char *limit, int *truncp, int | ||
26 | |||
27 | va_start(ap, format); /* make ap point to 1st unamed argument */ | ||
28 | |||
29 | - /* nameoffset (1 or 2) + type (2) + class (2) + ttl (4) + 0 (2) */ | ||
30 | - CHECK_LIMIT(12); | ||
31 | - | ||
32 | if (nameoffset > 0) | ||
33 | { | ||
34 | + CHECK_LIMIT(2); | ||
35 | PUTSHORT(nameoffset | 0xc000, p); | ||
36 | } | ||
37 | else | ||
38 | { | ||
39 | char *name = va_arg(ap, char *); | ||
40 | - if (name) | ||
41 | - p = do_rfc1035_name(p, name, limit); | ||
42 | - if (!p) | ||
43 | - { | ||
44 | - va_end(ap); | ||
45 | - goto truncated; | ||
46 | - } | ||
47 | - | ||
48 | + if (name && !(p = do_rfc1035_name(p, name, limit))) | ||
49 | + { | ||
50 | + va_end(ap); | ||
51 | + goto truncated; | ||
52 | + } | ||
53 | + | ||
54 | if (nameoffset < 0) | ||
55 | { | ||
56 | + CHECK_LIMIT(2); | ||
57 | PUTSHORT(-nameoffset | 0xc000, p); | ||
58 | } | ||
59 | else | ||
60 | - *p++ = 0; | ||
61 | + { | ||
62 | + CHECK_LIMIT(1); | ||
63 | + *p++ = 0; | ||
64 | + } | ||
65 | } | ||
66 | |||
67 | + /* type (2) + class (2) + ttl (4) + rdlen (2) */ | ||
68 | + CHECK_LIMIT(10); | ||
69 | + | ||
70 | PUTSHORT(type, p); | ||
71 | PUTSHORT(class, p); | ||
72 | PUTLONG(ttl, p); /* TTL */ | ||
73 | -- | ||
74 | 2.11.0 | ||
75 | |||
diff --git a/meta-networking/recipes-support/dnsmasq/dnsmasq/dnsmasq-CVE-2017-14491.patch b/meta-networking/recipes-support/dnsmasq/dnsmasq/dnsmasq-CVE-2017-14491.patch new file mode 100644 index 000000000..05986788d --- /dev/null +++ b/meta-networking/recipes-support/dnsmasq/dnsmasq/dnsmasq-CVE-2017-14491.patch | |||
@@ -0,0 +1,268 @@ | |||
1 | From 8644f7c99c5e2fde6b6872a4ab820d3520f44e24 Mon Sep 17 00:00:00 2001 | ||
2 | From: Simon Kelley <simon@thekelleys.org.uk> | ||
3 | Date: Mon, 25 Sep 2017 18:17:11 +0100 | ||
4 | Subject: [PATCH 1/7] Security fix, CVE-2017-14491 DNS heap buffer overflow. | ||
5 | |||
6 | commit 0549c73b7ea6b22a3c49beb4d432f185a81efcbc upstream | ||
7 | git://thekelleys.org.uk/dnsmasq | ||
8 | |||
9 | Fix heap overflow in DNS code. This is a potentially serious | ||
10 | security hole. It allows an attacker who can make DNS | ||
11 | requests to dnsmasq, and who controls the contents of | ||
12 | a domain, which is thereby queried, to overflow | ||
13 | (by 2 bytes) a heap buffer and either crash, or | ||
14 | even take control of, dnsmasq. | ||
15 | |||
16 | Upstream-Status: Backport | ||
17 | |||
18 | Signed-off-by: Zhang Xiao <xiao.zhang@windriver.com> | ||
19 | --- | ||
20 | src/dnsmasq.h | 2 +- | ||
21 | src/dnssec.c | 2 +- | ||
22 | src/option.c | 2 +- | ||
23 | src/rfc1035.c | 50 +++++++++++++++++++++++++++++++++++++++++--------- | ||
24 | src/rfc2131.c | 4 ++-- | ||
25 | src/rfc3315.c | 4 ++-- | ||
26 | src/util.c | 7 ++++++- | ||
27 | 7 files changed, 54 insertions(+), 17 deletions(-) | ||
28 | |||
29 | diff --git a/src/dnsmasq.h b/src/dnsmasq.h | ||
30 | index 1896a64..ed5da36 100644 | ||
31 | --- a/src/dnsmasq.h | ||
32 | +++ b/src/dnsmasq.h | ||
33 | @@ -1161,7 +1161,7 @@ u32 rand32(void); | ||
34 | u64 rand64(void); | ||
35 | int legal_hostname(char *c); | ||
36 | char *canonicalise(char *s, int *nomem); | ||
37 | -unsigned char *do_rfc1035_name(unsigned char *p, char *sval); | ||
38 | +unsigned char *do_rfc1035_name(unsigned char *p, char *sval, char *limit); | ||
39 | void *safe_malloc(size_t size); | ||
40 | void safe_pipe(int *fd, int read_noblock); | ||
41 | void *whine_malloc(size_t size); | ||
42 | diff --git a/src/dnssec.c b/src/dnssec.c | ||
43 | index 3c77c7d..f45c804 100644 | ||
44 | --- a/src/dnssec.c | ||
45 | +++ b/src/dnssec.c | ||
46 | @@ -2227,7 +2227,7 @@ size_t dnssec_generate_query(struct dns_header *header, unsigned char *end, char | ||
47 | |||
48 | p = (unsigned char *)(header+1); | ||
49 | |||
50 | - p = do_rfc1035_name(p, name); | ||
51 | + p = do_rfc1035_name(p, name, NULL); | ||
52 | *p++ = 0; | ||
53 | PUTSHORT(type, p); | ||
54 | PUTSHORT(class, p); | ||
55 | diff --git a/src/option.c b/src/option.c | ||
56 | index d8c57d6..0e1c326 100644 | ||
57 | --- a/src/option.c | ||
58 | +++ b/src/option.c | ||
59 | @@ -1378,7 +1378,7 @@ static int parse_dhcp_opt(char *errstr, char *arg, int flags) | ||
60 | } | ||
61 | |||
62 | p = newp; | ||
63 | - end = do_rfc1035_name(p + len, dom); | ||
64 | + end = do_rfc1035_name(p + len, dom, NULL); | ||
65 | *end++ = 0; | ||
66 | len = end - p; | ||
67 | free(dom); | ||
68 | diff --git a/src/rfc1035.c b/src/rfc1035.c | ||
69 | index 24d08c1..78410d6 100644 | ||
70 | --- a/src/rfc1035.c | ||
71 | +++ b/src/rfc1035.c | ||
72 | @@ -1049,6 +1049,7 @@ int check_for_ignored_address(struct dns_header *header, size_t qlen, struct bog | ||
73 | return 0; | ||
74 | } | ||
75 | |||
76 | + | ||
77 | int add_resource_record(struct dns_header *header, char *limit, int *truncp, int nameoffset, unsigned char **pp, | ||
78 | unsigned long ttl, int *offset, unsigned short type, unsigned short class, char *format, ...) | ||
79 | { | ||
80 | @@ -1058,12 +1059,21 @@ int add_resource_record(struct dns_header *header, char *limit, int *truncp, int | ||
81 | unsigned short usval; | ||
82 | long lval; | ||
83 | char *sval; | ||
84 | +#define CHECK_LIMIT(size) \ | ||
85 | + if (limit && p + (size) > (unsigned char*)limit) \ | ||
86 | + { \ | ||
87 | + va_end(ap); \ | ||
88 | + goto truncated; \ | ||
89 | + } | ||
90 | |||
91 | if (truncp && *truncp) | ||
92 | return 0; | ||
93 | - | ||
94 | + | ||
95 | va_start(ap, format); /* make ap point to 1st unamed argument */ | ||
96 | - | ||
97 | + | ||
98 | + /* nameoffset (1 or 2) + type (2) + class (2) + ttl (4) + 0 (2) */ | ||
99 | + CHECK_LIMIT(12); | ||
100 | + | ||
101 | if (nameoffset > 0) | ||
102 | { | ||
103 | PUTSHORT(nameoffset | 0xc000, p); | ||
104 | @@ -1072,7 +1082,13 @@ int add_resource_record(struct dns_header *header, char *limit, int *truncp, int | ||
105 | { | ||
106 | char *name = va_arg(ap, char *); | ||
107 | if (name) | ||
108 | - p = do_rfc1035_name(p, name); | ||
109 | + p = do_rfc1035_name(p, name, limit); | ||
110 | + if (!p) | ||
111 | + { | ||
112 | + va_end(ap); | ||
113 | + goto truncated; | ||
114 | + } | ||
115 | + | ||
116 | if (nameoffset < 0) | ||
117 | { | ||
118 | PUTSHORT(-nameoffset | 0xc000, p); | ||
119 | @@ -1093,6 +1109,7 @@ int add_resource_record(struct dns_header *header, char *limit, int *truncp, int | ||
120 | { | ||
121 | #ifdef HAVE_IPV6 | ||
122 | case '6': | ||
123 | + CHECK_LIMIT(IN6ADDRSZ); | ||
124 | sval = va_arg(ap, char *); | ||
125 | memcpy(p, sval, IN6ADDRSZ); | ||
126 | p += IN6ADDRSZ; | ||
127 | @@ -1100,36 +1117,47 @@ int add_resource_record(struct dns_header *header, char *limit, int *truncp, int | ||
128 | #endif | ||
129 | |||
130 | case '4': | ||
131 | + CHECK_LIMIT(INADDRSZ); | ||
132 | sval = va_arg(ap, char *); | ||
133 | memcpy(p, sval, INADDRSZ); | ||
134 | p += INADDRSZ; | ||
135 | break; | ||
136 | |||
137 | case 'b': | ||
138 | + CHECK_LIMIT(1); | ||
139 | usval = va_arg(ap, int); | ||
140 | *p++ = usval; | ||
141 | break; | ||
142 | |||
143 | case 's': | ||
144 | + CHECK_LIMIT(2); | ||
145 | usval = va_arg(ap, int); | ||
146 | PUTSHORT(usval, p); | ||
147 | break; | ||
148 | |||
149 | case 'l': | ||
150 | + CHECK_LIMIT(4); | ||
151 | lval = va_arg(ap, long); | ||
152 | PUTLONG(lval, p); | ||
153 | break; | ||
154 | |||
155 | case 'd': | ||
156 | - /* get domain-name answer arg and store it in RDATA field */ | ||
157 | - if (offset) | ||
158 | - *offset = p - (unsigned char *)header; | ||
159 | - p = do_rfc1035_name(p, va_arg(ap, char *)); | ||
160 | - *p++ = 0; | ||
161 | + /* get domain-name answer arg and store it in RDATA field */ | ||
162 | + if (offset) | ||
163 | + *offset = p - (unsigned char *)header; | ||
164 | + p = do_rfc1035_name(p, va_arg(ap, char *), limit); | ||
165 | + if (!p) | ||
166 | + { | ||
167 | + va_end(ap); | ||
168 | + goto truncated; | ||
169 | + } | ||
170 | + CHECK_LIMIT(1); | ||
171 | + *p++ = 0; | ||
172 | break; | ||
173 | |||
174 | case 't': | ||
175 | usval = va_arg(ap, int); | ||
176 | + CHECK_LIMIT(usval); | ||
177 | sval = va_arg(ap, char *); | ||
178 | if (usval != 0) | ||
179 | memcpy(p, sval, usval); | ||
180 | @@ -1141,20 +1169,24 @@ int add_resource_record(struct dns_header *header, char *limit, int *truncp, int | ||
181 | usval = sval ? strlen(sval) : 0; | ||
182 | if (usval > 255) | ||
183 | usval = 255; | ||
184 | + CHECK_LIMIT(usval + 1); | ||
185 | *p++ = (unsigned char)usval; | ||
186 | memcpy(p, sval, usval); | ||
187 | p += usval; | ||
188 | break; | ||
189 | } | ||
190 | |||
191 | +#undef CHECK_LIMIT | ||
192 | va_end(ap); /* clean up variable argument pointer */ | ||
193 | |||
194 | j = p - sav - 2; | ||
195 | - PUTSHORT(j, sav); /* Now, store real RDLength */ | ||
196 | + /* this has already been checked against limit before */ | ||
197 | + PUTSHORT(j, sav); /* Now, store real RDLength */ | ||
198 | |||
199 | /* check for overflow of buffer */ | ||
200 | if (limit && ((unsigned char *)limit - p) < 0) | ||
201 | { | ||
202 | +truncated: | ||
203 | if (truncp) | ||
204 | *truncp = 1; | ||
205 | return 0; | ||
206 | diff --git a/src/rfc2131.c b/src/rfc2131.c | ||
207 | index b7c167e..0dffd36 100644 | ||
208 | --- a/src/rfc2131.c | ||
209 | +++ b/src/rfc2131.c | ||
210 | @@ -2419,10 +2419,10 @@ static void do_options(struct dhcp_context *context, | ||
211 | |||
212 | if (fqdn_flags & 0x04) | ||
213 | { | ||
214 | - p = do_rfc1035_name(p, hostname); | ||
215 | + p = do_rfc1035_name(p, hostname, NULL); | ||
216 | if (domain) | ||
217 | { | ||
218 | - p = do_rfc1035_name(p, domain); | ||
219 | + p = do_rfc1035_name(p, domain, NULL); | ||
220 | *p++ = 0; | ||
221 | } | ||
222 | } | ||
223 | diff --git a/src/rfc3315.c b/src/rfc3315.c | ||
224 | index 3f4d69c..73bdee4 100644 | ||
225 | --- a/src/rfc3315.c | ||
226 | +++ b/src/rfc3315.c | ||
227 | @@ -1472,10 +1472,10 @@ static struct dhcp_netid *add_options(struct state *state, int do_refresh) | ||
228 | if ((p = expand(len + 2))) | ||
229 | { | ||
230 | *(p++) = state->fqdn_flags; | ||
231 | - p = do_rfc1035_name(p, state->hostname); | ||
232 | + p = do_rfc1035_name(p, state->hostname, NULL); | ||
233 | if (state->send_domain) | ||
234 | { | ||
235 | - p = do_rfc1035_name(p, state->send_domain); | ||
236 | + p = do_rfc1035_name(p, state->send_domain, NULL); | ||
237 | *p = 0; | ||
238 | } | ||
239 | } | ||
240 | diff --git a/src/util.c b/src/util.c | ||
241 | index 93b24f5..a377e6f 100644 | ||
242 | --- a/src/util.c | ||
243 | +++ b/src/util.c | ||
244 | @@ -218,15 +218,20 @@ char *canonicalise(char *in, int *nomem) | ||
245 | return ret; | ||
246 | } | ||
247 | |||
248 | -unsigned char *do_rfc1035_name(unsigned char *p, char *sval) | ||
249 | +unsigned char *do_rfc1035_name(unsigned char *p, char *sval, char *limit) | ||
250 | { | ||
251 | int j; | ||
252 | |||
253 | while (sval && *sval) | ||
254 | { | ||
255 | + if (limit && p + 1 > (unsigned char*)limit) | ||
256 | + return p; | ||
257 | + | ||
258 | unsigned char *cp = p++; | ||
259 | for (j = 0; *sval && (*sval != '.'); sval++, j++) | ||
260 | { | ||
261 | + if (limit && p + 1 > (unsigned char*)limit) | ||
262 | + return p; | ||
263 | #ifdef HAVE_DNSSEC | ||
264 | if (option_bool(OPT_DNSSEC_VALID) && *sval == NAME_ESCAPE) | ||
265 | *p++ = (*(++sval))-1; | ||
266 | -- | ||
267 | 2.11.0 | ||
268 | |||
diff --git a/meta-networking/recipes-support/dnsmasq/dnsmasq/dnsmasq-CVE-2017-14492.patch b/meta-networking/recipes-support/dnsmasq/dnsmasq/dnsmasq-CVE-2017-14492.patch new file mode 100644 index 000000000..19949314c --- /dev/null +++ b/meta-networking/recipes-support/dnsmasq/dnsmasq/dnsmasq-CVE-2017-14492.patch | |||
@@ -0,0 +1,37 @@ | |||
1 | From 6a0e7dbac67a8393e4505e593e5c46544c53eae0 Mon Sep 17 00:00:00 2001 | ||
2 | From: Simon Kelley <simon@thekelleys.org.uk> | ||
3 | Date: Mon, 25 Sep 2017 18:47:15 +0100 | ||
4 | Subject: [PATCH 2/7] Security fix, CVE-2017-14492, DHCPv6 RA heap overflow. | ||
5 | |||
6 | commit 24036ea507862c7b7898b68289c8130f85599c10 upstream | ||
7 | git://thekelleys.org.uk/dnsmasq | ||
8 | |||
9 | Fix heap overflow in IPv6 router advertisement code. | ||
10 | This is a potentially serious security hole, as a | ||
11 | crafted RA request can overflow a buffer and crash or | ||
12 | control dnsmasq. Attacker must be on the local network. | ||
13 | |||
14 | Upstream-Status: Backport | ||
15 | |||
16 | Signed-off-by: Zhang Xiao <xiao.zhang@windriver.com> | ||
17 | --- | ||
18 | src/radv.c | 3 +++ | ||
19 | 1 file changed, 3 insertions(+) | ||
20 | |||
21 | diff --git a/src/radv.c b/src/radv.c | ||
22 | index 749b666..d09fe0e 100644 | ||
23 | --- a/src/radv.c | ||
24 | +++ b/src/radv.c | ||
25 | @@ -198,6 +198,9 @@ void icmp6_packet(time_t now) | ||
26 | /* look for link-layer address option for logging */ | ||
27 | if (sz >= 16 && packet[8] == ICMP6_OPT_SOURCE_MAC && (packet[9] * 8) + 8 <= sz) | ||
28 | { | ||
29 | + if ((packet[9] * 8 - 2) * 3 - 1 >= MAXDNAME) { | ||
30 | + return; | ||
31 | + } | ||
32 | print_mac(daemon->namebuff, &packet[10], (packet[9] * 8) - 2); | ||
33 | mac = daemon->namebuff; | ||
34 | } | ||
35 | -- | ||
36 | 2.11.0 | ||
37 | |||
diff --git a/meta-networking/recipes-support/dnsmasq/dnsmasq/dnsmasq-CVE-2017-14493.patch b/meta-networking/recipes-support/dnsmasq/dnsmasq/dnsmasq-CVE-2017-14493.patch new file mode 100644 index 000000000..ae99cf49a --- /dev/null +++ b/meta-networking/recipes-support/dnsmasq/dnsmasq/dnsmasq-CVE-2017-14493.patch | |||
@@ -0,0 +1,37 @@ | |||
1 | From f23f4be3cb72d307806e3d3ca14779f69ac5494c Mon Sep 17 00:00:00 2001 | ||
2 | From: Simon Kelley <simon@thekelleys.org.uk> | ||
3 | Date: Mon, 25 Sep 2017 18:52:50 +0100 | ||
4 | Subject: [PATCH 3/7] Security fix, CVE-2017-14493, DHCPv6 - Stack buffer | ||
5 | overflow. | ||
6 | |||
7 | commit 3d4ff1ba8419546490b464418223132529514033 upstream | ||
8 | git://thekelleys.org.uk/dnsmasq | ||
9 | |||
10 | Fix stack overflow in DHCPv6 code. An attacker who can send | ||
11 | a DHCPv6 request to dnsmasq can overflow the stack frame and | ||
12 | crash or control dnsmasq. | ||
13 | |||
14 | Upstream-Status: Backport | ||
15 | |||
16 | Signed-off-by: Zhang Xiao <xiao.zhang@windriver.com> | ||
17 | --- | ||
18 | src/rfc3315.c | 3 +++ | ||
19 | 1 file changed, 3 insertions(+) | ||
20 | |||
21 | diff --git a/src/rfc3315.c b/src/rfc3315.c | ||
22 | index 73bdee4..8d18a28 100644 | ||
23 | --- a/src/rfc3315.c | ||
24 | +++ b/src/rfc3315.c | ||
25 | @@ -206,6 +206,9 @@ static int dhcp6_maybe_relay(struct state *state, void *inbuff, size_t sz, | ||
26 | /* RFC-6939 */ | ||
27 | if ((opt = opt6_find(opts, end, OPTION6_CLIENT_MAC, 3))) | ||
28 | { | ||
29 | + if (opt6_len(opt) - 2 > DHCP_CHADDR_MAX) { | ||
30 | + return 0; | ||
31 | + } | ||
32 | state->mac_type = opt6_uint(opt, 0, 2); | ||
33 | state->mac_len = opt6_len(opt) - 2; | ||
34 | memcpy(&state->mac[0], opt6_ptr(opt, 2), state->mac_len); | ||
35 | -- | ||
36 | 2.11.0 | ||
37 | |||
diff --git a/meta-networking/recipes-support/dnsmasq/dnsmasq/dnsmasq-CVE-2017-14494.patch b/meta-networking/recipes-support/dnsmasq/dnsmasq/dnsmasq-CVE-2017-14494.patch new file mode 100644 index 000000000..a6f0e2abe --- /dev/null +++ b/meta-networking/recipes-support/dnsmasq/dnsmasq/dnsmasq-CVE-2017-14494.patch | |||
@@ -0,0 +1,37 @@ | |||
1 | From aba3f8df87d104d599920ea44e96191601638961 Mon Sep 17 00:00:00 2001 | ||
2 | From: Simon Kelley <simon@thekelleys.org.uk> | ||
3 | Date: Mon, 25 Sep 2017 20:05:11 +0100 | ||
4 | Subject: [PATCH 4/7] Security fix, CVE-2017-14494, Infoleak handling DHCPv6 | ||
5 | forwarded requests. | ||
6 | |||
7 | commit 33e3f1029c9ec6c63e430ff51063a6301d4b2262 upstream | ||
8 | git://thekelleys.org.uk/dnsmasq | ||
9 | |||
10 | Fix information leak in DHCPv6. A crafted DHCPv6 packet can | ||
11 | cause dnsmasq to forward memory from outside the packet | ||
12 | buffer to a DHCPv6 server when acting as a relay. | ||
13 | |||
14 | Upstream-Status: Backport | ||
15 | |||
16 | Signed-off-by: Zhang Xiao <xiao.zhang@windriver.com> | ||
17 | --- | ||
18 | src/rfc3315.c | 3 +++ | ||
19 | 1 file changed, 3 insertions(+) | ||
20 | |||
21 | diff --git a/src/rfc3315.c b/src/rfc3315.c | ||
22 | index 8d18a28..03b3f84 100644 | ||
23 | --- a/src/rfc3315.c | ||
24 | +++ b/src/rfc3315.c | ||
25 | @@ -216,6 +216,9 @@ static int dhcp6_maybe_relay(struct state *state, void *inbuff, size_t sz, | ||
26 | |||
27 | for (opt = opts; opt; opt = opt6_next(opt, end)) | ||
28 | { | ||
29 | + if (opt6_ptr(opt, 0) + opt6_len(opt) >= end) { | ||
30 | + return 0; | ||
31 | + } | ||
32 | int o = new_opt6(opt6_type(opt)); | ||
33 | if (opt6_type(opt) == OPTION6_RELAY_MSG) | ||
34 | { | ||
35 | -- | ||
36 | 2.11.0 | ||
37 | |||
diff --git a/meta-networking/recipes-support/dnsmasq/dnsmasq/dnsmasq-CVE-2017-14495.patch b/meta-networking/recipes-support/dnsmasq/dnsmasq/dnsmasq-CVE-2017-14495.patch new file mode 100644 index 000000000..31014d102 --- /dev/null +++ b/meta-networking/recipes-support/dnsmasq/dnsmasq/dnsmasq-CVE-2017-14495.patch | |||
@@ -0,0 +1,48 @@ | |||
1 | From e4ae220ee00dcad20a716432badd3210b442ddb4 Mon Sep 17 00:00:00 2001 | ||
2 | From: Simon Kelley <simon@thekelleys.org.uk> | ||
3 | Date: Mon, 25 Sep 2017 20:16:50 +0100 | ||
4 | Subject: [PATCH 6/7] Security fix, CVE-2017-14495, OOM in DNS response | ||
5 | creation. | ||
6 | |||
7 | commit 51eadb692a5123b9838e5a68ecace3ac579a3a45 upstream | ||
8 | git://thekelleys.org.uk/dnsmasq | ||
9 | |||
10 | Fix out-of-memory Dos vulnerability. An attacker which can | ||
11 | send malicious DNS queries to dnsmasq can trigger memory | ||
12 | allocations in the add_pseudoheader function | ||
13 | The allocated memory is never freed which leads to a DoS | ||
14 | through memory exhaustion. dnsmasq is vulnerable only | ||
15 | if one of the following option is specified: | ||
16 | --add-mac, --add-cpe-id or --add-subnet. | ||
17 | |||
18 | Upstream-Status: Backport | ||
19 | |||
20 | Signed-off-by: Zhang Xiao <xiao.zhang@windriver.com> | ||
21 | --- | ||
22 | src/edns0.c | 8 +++++++- | ||
23 | 1 file changed, 7 insertions(+), 1 deletion(-) | ||
24 | |||
25 | diff --git a/src/edns0.c b/src/edns0.c | ||
26 | index a2ef0ea..f48c084 100644 | ||
27 | --- a/src/edns0.c | ||
28 | +++ b/src/edns0.c | ||
29 | @@ -192,9 +192,15 @@ size_t add_pseudoheader(struct dns_header *header, size_t plen, unsigned char *l | ||
30 | !(p = skip_section(p, | ||
31 | ntohs(header->ancount) + ntohs(header->nscount) + ntohs(header->arcount), | ||
32 | header, plen))) | ||
33 | + { | ||
34 | + free(buff); | ||
35 | return plen; | ||
36 | + } | ||
37 | if (p + 11 > limit) | ||
38 | - return plen; /* Too big */ | ||
39 | + { | ||
40 | + free(buff); | ||
41 | + return plen; /* Too big */ | ||
42 | + } | ||
43 | *p++ = 0; /* empty name */ | ||
44 | PUTSHORT(T_OPT, p); | ||
45 | PUTSHORT(udp_sz, p); /* max packet length, 512 if not given in EDNS0 header */ | ||
46 | -- | ||
47 | 2.11.0 | ||
48 | |||
diff --git a/meta-networking/recipes-support/dnsmasq/dnsmasq/dnsmasq-CVE-2017-14496.patch b/meta-networking/recipes-support/dnsmasq/dnsmasq/dnsmasq-CVE-2017-14496.patch new file mode 100644 index 000000000..fc50ef084 --- /dev/null +++ b/meta-networking/recipes-support/dnsmasq/dnsmasq/dnsmasq-CVE-2017-14496.patch | |||
@@ -0,0 +1,73 @@ | |||
1 | From c25545680679a12d78dd80662ed1bc5d97a38d6d Mon Sep 17 00:00:00 2001 | ||
2 | From: Simon Kelley <simon@thekelleys.org.uk> | ||
3 | Date: Mon, 25 Sep 2017 20:11:58 +0100 | ||
4 | Subject: [PATCH 5/7] Security fix, CVE-2017-14496, Integer underflow in DNS | ||
5 | response creation. | ||
6 | |||
7 | commit 897c113fda0886a28a986cc6ba17bb93bd6cb1c7 upstream | ||
8 | git://thekelleys.org.uk/dnsmasq | ||
9 | |||
10 | Fix DoS in DNS. Invalid boundary checks in the | ||
11 | add_pseudoheader function allows a memcpy call with negative | ||
12 | size An attacker which can send malicious DNS queries | ||
13 | to dnsmasq can trigger a DoS remotely. | ||
14 | dnsmasq is vulnerable only if one of the following option is | ||
15 | specified: --add-mac, --add-cpe-id or --add-subnet. | ||
16 | |||
17 | Upstream-Status: Backport | ||
18 | |||
19 | Signed-off-by: Zhang Xiao <xiao.zhang@windriver.com> | ||
20 | --- | ||
21 | src/edns0.c | 13 ++++++++++++- | ||
22 | 1 file changed, 12 insertions(+), 1 deletion(-) | ||
23 | |||
24 | diff --git a/src/edns0.c b/src/edns0.c | ||
25 | index c7a101e..a2ef0ea 100644 | ||
26 | --- a/src/edns0.c | ||
27 | +++ b/src/edns0.c | ||
28 | @@ -144,7 +144,7 @@ size_t add_pseudoheader(struct dns_header *header, size_t plen, unsigned char *l | ||
29 | GETSHORT(len, p); | ||
30 | |||
31 | /* malformed option, delete the whole OPT RR and start again. */ | ||
32 | - if (i + len > rdlen) | ||
33 | + if (i + 4 + len > rdlen) | ||
34 | { | ||
35 | rdlen = 0; | ||
36 | is_last = 0; | ||
37 | @@ -193,6 +193,8 @@ size_t add_pseudoheader(struct dns_header *header, size_t plen, unsigned char *l | ||
38 | ntohs(header->ancount) + ntohs(header->nscount) + ntohs(header->arcount), | ||
39 | header, plen))) | ||
40 | return plen; | ||
41 | + if (p + 11 > limit) | ||
42 | + return plen; /* Too big */ | ||
43 | *p++ = 0; /* empty name */ | ||
44 | PUTSHORT(T_OPT, p); | ||
45 | PUTSHORT(udp_sz, p); /* max packet length, 512 if not given in EDNS0 header */ | ||
46 | @@ -204,6 +206,11 @@ size_t add_pseudoheader(struct dns_header *header, size_t plen, unsigned char *l | ||
47 | /* Copy back any options */ | ||
48 | if (buff) | ||
49 | { | ||
50 | + if (p + rdlen > limit) | ||
51 | + { | ||
52 | + free(buff); | ||
53 | + return plen; /* Too big */ | ||
54 | + } | ||
55 | memcpy(p, buff, rdlen); | ||
56 | free(buff); | ||
57 | p += rdlen; | ||
58 | @@ -217,8 +224,12 @@ size_t add_pseudoheader(struct dns_header *header, size_t plen, unsigned char *l | ||
59 | /* Add new option */ | ||
60 | if (optno != 0 && replace != 2) | ||
61 | { | ||
62 | + if (p + 4 > limit) | ||
63 | + return plen; /* Too big */ | ||
64 | PUTSHORT(optno, p); | ||
65 | PUTSHORT(optlen, p); | ||
66 | + if (p + optlen > limit) | ||
67 | + return plen; /* Too big */ | ||
68 | memcpy(p, opt, optlen); | ||
69 | p += optlen; | ||
70 | PUTSHORT(p - datap, lenp); | ||
71 | -- | ||
72 | 2.11.0 | ||
73 | |||