blob: 218b60a85cc354953f7ea26c546ca17c52a8042e (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
|
From 16719c1a7078421928e6d31dd1dec574825ef515 Mon Sep 17 00:00:00 2001
From: Waldemar Brodkorb <wbx@openadk.org>
Date: Sun, 17 Jan 2016 15:47:22 +0100
Subject: [PATCH] Do not follow compressed items forever.
It is possible to get stuck in an infinite loop when receiving a
specially crafted DNS reply. Exit the loop after a number of iteration
and consider the packet invalid.
Signed-off-by: Daniel Fahlgren <daniel@fahlgren.se>
Signed-off-by: Waldemar Brodkorb <wbx@uclibc-ng.org>
Upstream-status: Backport
http://repo.or.cz/uclibc-ng.git/commit/16719c1a7078421928e6d31dd1dec574825ef515
CVE: CVE-2016-2224
Signed-off-by: Armin Kuster <akuster@mvista.com>
---
libc/inet/resolv.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
Index: git/libc/inet/resolv.c
===================================================================
--- git.orig/libc/inet/resolv.c
+++ git/libc/inet/resolv.c
@@ -666,11 +666,12 @@ int __decode_dotted(const unsigned char
bool measure = 1;
unsigned total = 0;
unsigned used = 0;
+ unsigned maxiter = 256;
if (!packet)
return -1;
- while (1) {
+ while (--maxiter) {
if (offset >= packet_len)
return -1;
b = packet[offset++];
@@ -707,6 +708,8 @@ int __decode_dotted(const unsigned char
else
dest[used++] = '\0';
}
+ if (!maxiter)
+ return -1;
/* The null byte must be counted too */
if (measure)
|