diff options
Diffstat (limited to 'meta/recipes-core/busybox/busybox/CVE-2016-2147.patch')
-rw-r--r-- | meta/recipes-core/busybox/busybox/CVE-2016-2147.patch | 57 |
1 files changed, 57 insertions, 0 deletions
diff --git a/meta/recipes-core/busybox/busybox/CVE-2016-2147.patch b/meta/recipes-core/busybox/busybox/CVE-2016-2147.patch new file mode 100644 index 0000000000..84cae6aa2c --- /dev/null +++ b/meta/recipes-core/busybox/busybox/CVE-2016-2147.patch | |||
@@ -0,0 +1,57 @@ | |||
1 | From d474ffc68290e0a83651c4432eeabfa62cd51e87 Mon Sep 17 00:00:00 2001 | ||
2 | From: Denys Vlasenko <vda.linux@googlemail.com> | ||
3 | Date: Thu, 10 Mar 2016 11:47:58 +0100 | ||
4 | Subject: [PATCH] udhcp: fix a SEGV on malformed RFC1035-encoded domain name | ||
5 | |||
6 | Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com> | ||
7 | |||
8 | Upstream-Status: Backport | ||
9 | CVE: CVE-2016-2147 | ||
10 | |||
11 | https://git.busybox.net/busybox/commit/?id=d474ffc | ||
12 | Signed-off-by: Armin Kuster <akuster@mvista.com> | ||
13 | |||
14 | --- | ||
15 | networking/udhcp/domain_codec.c | 13 +++++++++---- | ||
16 | 1 file changed, 9 insertions(+), 4 deletions(-) | ||
17 | |||
18 | Index: busybox-1.23.2/networking/udhcp/domain_codec.c | ||
19 | =================================================================== | ||
20 | --- busybox-1.23.2.orig/networking/udhcp/domain_codec.c | ||
21 | +++ busybox-1.23.2/networking/udhcp/domain_codec.c | ||
22 | @@ -63,11 +63,10 @@ char* FAST_FUNC dname_dec(const uint8_t | ||
23 | if (crtpos + *c + 1 > clen) /* label too long? abort */ | ||
24 | return NULL; | ||
25 | if (dst) | ||
26 | - memcpy(dst + len, c + 1, *c); | ||
27 | + /* \3com ---> "com." */ | ||
28 | + ((char*)mempcpy(dst + len, c + 1, *c))[0] = '.'; | ||
29 | len += *c + 1; | ||
30 | crtpos += *c + 1; | ||
31 | - if (dst) | ||
32 | - dst[len - 1] = '.'; | ||
33 | } else { | ||
34 | /* NUL: end of current domain name */ | ||
35 | if (retpos == 0) { | ||
36 | @@ -78,7 +77,10 @@ char* FAST_FUNC dname_dec(const uint8_t | ||
37 | crtpos = retpos; | ||
38 | retpos = depth = 0; | ||
39 | } | ||
40 | - if (dst) | ||
41 | + if (dst && len != 0) | ||
42 | + /* \4host\3com\0\4host and we are at \0: | ||
43 | + * \3com was converted to "com.", change dot to space. | ||
44 | + */ | ||
45 | dst[len - 1] = ' '; | ||
46 | } | ||
47 | |||
48 | @@ -228,6 +230,9 @@ int main(int argc, char **argv) | ||
49 | int len; | ||
50 | uint8_t *encoded; | ||
51 | |||
52 | + uint8_t str[6] = { 0x00, 0x00, 0x02, 0x65, 0x65, 0x00 }; | ||
53 | + printf("NUL:'%s'\n", dname_dec(str, 6, "")); | ||
54 | + | ||
55 | #define DNAME_DEC(encoded,pre) dname_dec((uint8_t*)(encoded), sizeof(encoded), (pre)) | ||
56 | printf("'%s'\n", DNAME_DEC("\4host\3com\0", "test1:")); | ||
57 | printf("test2:'%s'\n", DNAME_DEC("\4host\3com\0\4host\3com\0", "")); | ||