summaryrefslogtreecommitdiffstats
path: root/meta/recipes-core/uclibc/uclibc-git/CVE-2016-2224.patch
blob: 218b60a85cc354953f7ea26c546ca17c52a8042e (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
From 16719c1a7078421928e6d31dd1dec574825ef515 Mon Sep 17 00:00:00 2001
From: Waldemar Brodkorb <wbx@openadk.org>
Date: Sun, 17 Jan 2016 15:47:22 +0100
Subject: [PATCH] Do not follow compressed items forever.

It is possible to get stuck in an infinite loop when receiving a
specially crafted DNS reply. Exit the loop after a number of iteration
and consider the packet invalid.

Signed-off-by: Daniel Fahlgren <daniel@fahlgren.se>
Signed-off-by: Waldemar Brodkorb <wbx@uclibc-ng.org>

Upstream-status: Backport
http://repo.or.cz/uclibc-ng.git/commit/16719c1a7078421928e6d31dd1dec574825ef515

CVE: CVE-2016-2224
Signed-off-by: Armin Kuster <akuster@mvista.com>

---
 libc/inet/resolv.c | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

Index: git/libc/inet/resolv.c
===================================================================
--- git.orig/libc/inet/resolv.c
+++ git/libc/inet/resolv.c
@@ -666,11 +666,12 @@ int __decode_dotted(const unsigned char
 	bool measure = 1;
 	unsigned total = 0;
 	unsigned used = 0;
+	unsigned maxiter = 256;
 
 	if (!packet)
 		return -1;
 
-	while (1) {
+	while (--maxiter) {
 		if (offset >= packet_len)
 			return -1;
 		b = packet[offset++];
@@ -707,6 +708,8 @@ int __decode_dotted(const unsigned char
 		else
 			dest[used++] = '\0';
 	}
+	if (!maxiter)
+		return -1;
 
 	/* The null byte must be counted too */
 	if (measure)