From 997caf9146cd3797cd054e2adebd1fbb4df91911 Mon Sep 17 00:00:00 2001
From: Zhang Xiao <xiao.zhang@windriver.com>
Date: Fri, 4 May 2018 15:04:33 -0700
Subject: dnsmasq: backport CVE fixes from dnsmasq 2.78

CVE-2017-1449{1-6}

Signed-off-by: Zhang Xiao <xiao.zhang@windriver.com>
Signed-off-by: Joe Slater <joe.slater@windriver.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
---
 .../dnsmasq/dnsmasq/dnsmasq-CVE-2017-14494.patch   | 37 ++++++++++++++++++++++
 1 file changed, 37 insertions(+)
 create mode 100644 meta-networking/recipes-support/dnsmasq/dnsmasq/dnsmasq-CVE-2017-14494.patch

(limited to 'meta-networking/recipes-support/dnsmasq/dnsmasq/dnsmasq-CVE-2017-14494.patch')

diff --git a/meta-networking/recipes-support/dnsmasq/dnsmasq/dnsmasq-CVE-2017-14494.patch b/meta-networking/recipes-support/dnsmasq/dnsmasq/dnsmasq-CVE-2017-14494.patch
new file mode 100644
index 000000000..a6f0e2abe
--- /dev/null
+++ b/meta-networking/recipes-support/dnsmasq/dnsmasq/dnsmasq-CVE-2017-14494.patch
@@ -0,0 +1,37 @@
+From aba3f8df87d104d599920ea44e96191601638961 Mon Sep 17 00:00:00 2001
+From: Simon Kelley <simon@thekelleys.org.uk>
+Date: Mon, 25 Sep 2017 20:05:11 +0100
+Subject: [PATCH 4/7] Security fix, CVE-2017-14494, Infoleak handling DHCPv6
+ forwarded requests.
+
+commit 33e3f1029c9ec6c63e430ff51063a6301d4b2262 upstream
+git://thekelleys.org.uk/dnsmasq
+
+Fix information leak in DHCPv6. A crafted DHCPv6 packet can
+cause dnsmasq to forward memory from outside the packet
+buffer to a DHCPv6 server when acting as a relay.
+
+Upstream-Status: Backport
+
+Signed-off-by: Zhang Xiao <xiao.zhang@windriver.com>
+---
+ src/rfc3315.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/src/rfc3315.c b/src/rfc3315.c
+index 8d18a28..03b3f84 100644
+--- a/src/rfc3315.c
++++ b/src/rfc3315.c
+@@ -216,6 +216,9 @@ static int dhcp6_maybe_relay(struct state *state, void *inbuff, size_t sz,
+   
+   for (opt = opts; opt; opt = opt6_next(opt, end))
+     {
++      if (opt6_ptr(opt, 0) + opt6_len(opt) >= end) {
++        return 0;
++      }
+       int o = new_opt6(opt6_type(opt));
+       if (opt6_type(opt) == OPTION6_RELAY_MSG)
+ 	{
+-- 
+2.11.0
+
-- 
cgit v1.2.3-54-g00ecf