diff options
| author | Abhishek Bachiphale <Abhishek.Bachiphale@windriver.com> | 2026-05-18 22:43:36 +0530 |
|---|---|---|
| committer | Khem Raj <khem.raj@oss.qualcomm.com> | 2026-05-20 21:18:31 -0700 |
| commit | 44c8962f48a67fbe0fbc8fd830d2f51ae15541a4 (patch) | |
| tree | cd8e1942f33651c0b92bc5cadd6f43e2ca15f29d | |
| parent | b4c48536242d9aa7d1eaf968152fc83edea41923 (diff) | |
| download | meta-openembedded-44c8962f48a67fbe0fbc8fd830d2f51ae15541a4.tar.gz | |
dnsmasq: fix CVE-2026-5172
A buffer overflow in dnsmasq’s extract_addresses() function allows
an attacker to trigger a heap out-of-bounds read and crash by
exploiting a malformed DNS response, enabling extract_name()
to advance the pointer past the record’s end.
Reference:
[ https://nvd.nist.gov/vuln/detail/CVE-2026-5172 ]
Signed-off-by: Abhishek Bachiphale <Abhishek.Bachiphale@windriver.com>
Signed-off-by: Khem Raj <khem.raj@oss.qualcomm.com>
| -rw-r--r-- | meta-networking/recipes-support/dnsmasq/dnsmasq_2.92.bb | 1 | ||||
| -rw-r--r-- | meta-networking/recipes-support/dnsmasq/files/CVE-2026-5172.patch | 34 |
2 files changed, 35 insertions, 0 deletions
diff --git a/meta-networking/recipes-support/dnsmasq/dnsmasq_2.92.bb b/meta-networking/recipes-support/dnsmasq/dnsmasq_2.92.bb index 4ae650f7e7..c19467aed9 100644 --- a/meta-networking/recipes-support/dnsmasq/dnsmasq_2.92.bb +++ b/meta-networking/recipes-support/dnsmasq/dnsmasq_2.92.bb | |||
| @@ -20,6 +20,7 @@ SRC_URI = "http://www.thekelleys.org.uk/dnsmasq/${@['archive/', ''][float(d.getV | |||
| 20 | file://CVE-2026-4891.patch \ | 20 | file://CVE-2026-4891.patch \ |
| 21 | file://CVE-2026-4892.patch \ | 21 | file://CVE-2026-4892.patch \ |
| 22 | file://CVE-2026-4893.patch \ | 22 | file://CVE-2026-4893.patch \ |
| 23 | file://CVE-2026-5172.patch \ | ||
| 23 | " | 24 | " |
| 24 | SRC_URI[sha256sum] = "fd908e79ff37f73234afcb6d3363f78353e768703d92abd8e3220ade6819b1e1" | 25 | SRC_URI[sha256sum] = "fd908e79ff37f73234afcb6d3363f78353e768703d92abd8e3220ade6819b1e1" |
| 25 | 26 | ||
diff --git a/meta-networking/recipes-support/dnsmasq/files/CVE-2026-5172.patch b/meta-networking/recipes-support/dnsmasq/files/CVE-2026-5172.patch new file mode 100644 index 0000000000..ce6e0f464b --- /dev/null +++ b/meta-networking/recipes-support/dnsmasq/files/CVE-2026-5172.patch | |||
| @@ -0,0 +1,34 @@ | |||
| 1 | commit fa3c8ddef6712b52f562813317e6a997e1210123 | ||
| 2 | Author: Simon Kelley <simon@thekelleys.org.uk> | ||
| 3 | Date: Mon Mar 30 16:24:33 2026 +0100 | ||
| 4 | |||
| 5 | Fix buffer overflow vulnerability in extract_addresses() CVE-2026-5172 | ||
| 6 | |||
| 7 | Thanks to Hugo Martinez Ray for spotting this. | ||
| 8 | |||
| 9 | The value of rdlen for an RR can be a lie, allowing the | ||
| 10 | call to extract_name() at rfc1025.c:952 to advance the value of p1 | ||
| 11 | past the calculated end of the record. The makes the calculation | ||
| 12 | of bytes remaining in the RR underflow to a huge number and results | ||
| 13 | in a massive heap OOB read and certain crash. | ||
| 14 | |||
| 15 | CVE: CVE-2026-5172 | ||
| 16 | |||
| 17 | Upstream-Status: Backport [ https://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=commit;h=073082ddc0aba7b8efa15a688d6183463b65effa ] | ||
| 18 | |||
| 19 | Signed-off-by: Abhishek Bachiphale <Abhishek.Bachiphale@windriver.com> | ||
| 20 | |||
| 21 | diff --git a/src/rfc1035.c b/src/rfc1035.c | ||
| 22 | index f0e1082..7e05fb5 100644 | ||
| 23 | --- a/src/rfc1035.c | ||
| 24 | +++ b/src/rfc1035.c | ||
| 25 | @@ -943,7 +943,8 @@ int extract_addresses(struct dns_header *header, size_t qlen, char *name, time_t | ||
| 26 | /* Name, extract it then re-encode. */ | ||
| 27 | int len; | ||
| 28 | |||
| 29 | - if (!extract_name(header, qlen, &p1, name, EXTR_NAME_EXTRACT, 0)) | ||
| 30 | + /* rdlen may lie, and extract_name() advances p1 past where it says the record ends. */ | ||
| 31 | + if (!extract_name(header, qlen, &p1, name, EXTR_NAME_EXTRACT, 0) || (p1 > endrr)) | ||
| 32 | { | ||
| 33 | blockdata_free(addr.rrblock.rrdata); | ||
| 34 | return 2; | ||