dnsmasq: CVE-2022-0934 Heap use after free in dhcp6_no_relay

Source: https://thekelleys.org.uk/gitweb/?p=dnsmasq.git MR: 121726 Type: Security Fix Disposition: Backport from https://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=commit;h=03345ecefeb0d82e3c3a4c28f27c3554f0611b39 ChangeID: be554ef6ebedd7148404ea3cc280f2e42e17dc8c Description: CVE-2022-0934 dnsmasq: Heap use after free in dhcp6_no_relay. Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
author: Hitendra Prajapati <hprajapati@mvista.com> 2022-09-23 10:05:10 +0530
committer: Armin Kuster <akuster808@gmail.com> 2022-10-30 14:47:43 -0400
commit: 8377de16245ae355dfe528bb69a7dae391f79331 (patch)
tree: 4e99aaf06368a6c8485e709bcb743052f0f7bcc2
parent: 62842aac9810b9d430ca3621d9e909be653954ae (diff)
download: meta-openembedded-8377de16245ae355dfe528bb69a7dae391f79331.tar.gz
2 files changed, 189 insertions, 0 deletions
diff --git a/meta-networking/recipes-support/dnsmasq/dnsmasq/CVE-2022-0934.patch b/meta-networking/recipes-support/dnsmasq/dnsmasq/CVE-2022-0934.patch
new file mode 100644
index 0000000000..b2ef22c06f
--- /dev/null
+++ b/meta-networking/recipes-support/dnsmasq/dnsmasq/CVE-2022-0934.patch
@@ -0,0 +1,188 @@
+From 70df9f9104c8f0661966298b58caf794b99e26e1 Mon Sep 17 00:00:00 2001
+From: Hitendra Prajapati <hprajapati@mvista.com>
+Date: Thu, 22 Sep 2022 17:39:21 +0530
+Subject: [PATCH] CVE-2022-0934
+Upstream-Status: Backport [https://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=commit;h=03345ecefeb0d82e3c3a4c28f27c3554f0611b39]
+CVE: CVE-2022-0934
+Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
+---
+ CHANGELOG     |  2 ++
+ src/rfc3315.c | 48 +++++++++++++++++++++++++++---------------------
+ 2 files changed, 29 insertions(+), 21 deletions(-)
+diff --git a/CHANGELOG b/CHANGELOG
+index 60b08d0..d1d7e41 100644
+--- a/CHANGELOG
+++ b/CHANGELOG
+@@ -88,6 +88,8 @@ version 2.81
+ 
+        Add --script-on-renewal option.
+ 
+       Fix write-after-free error in DHCPv6 server code.
+       CVE-2022-0934 refers.
+        
+ version 2.80
+        Add support for RFC 4039 DHCP rapid commit. Thanks to Ashram Method
+diff --git a/src/rfc3315.c b/src/rfc3315.c
+index b3f0a0a..eef1360 100644
+--- a/src/rfc3315.c
+++ b/src/rfc3315.c
+@@ -33,9 +33,9 @@ struct state {
+   unsigned int mac_len, mac_type;
+ };
+ 
+-static int dhcp6_maybe_relay(struct state *state, void *inbuff, size_t sz, 
+static int dhcp6_maybe_relay(struct state *state, unsigned char *inbuff, size_t sz,
+                             struct in6_addr *client_addr, int is_unicast, time_t now);
+-static int dhcp6_no_relay(struct state *state, int msg_type, void *inbuff, size_t sz, int is_unicast, time_t now);
+static int dhcp6_no_relay(struct state *state, int msg_type, unsigned char *inbuff, size_t sz, int is_unicast, time_t now);
+ static void log6_opts(int nest, unsigned int xid, void *start_opts, void *end_opts);
+ static void log6_packet(struct state *state, char *type, struct in6_addr *addr, char *string);
+ static void log6_quiet(struct state *state, char *type, struct in6_addr *addr, char *string);
+@@ -104,12 +104,12 @@ unsigned short dhcp6_reply(struct dhcp_context *context, int interface, char *if
+ }
+ 
+ /* This cost me blood to write, it will probably cost you blood to understand - srk. */
+-static int dhcp6_maybe_relay(struct state *state, void *inbuff, size_t sz, 
+static int dhcp6_maybe_relay(struct state *state, unsigned char *inbuff, size_t sz,
+                             struct in6_addr *client_addr, int is_unicast, time_t now)
+ {
+   void *end = inbuff + sz;
+   void *opts = inbuff + 34;
+-  int msg_type = *((unsigned char *)inbuff);
+  int msg_type = *inbuff;
+   unsigned char *outmsgtypep;
+   void *opt;
+   struct dhcp_vendor *vendor;
+@@ -259,15 +259,15 @@ static int dhcp6_maybe_relay(struct state *state, void *inbuff, size_t sz,
+   return 1;
+ }
+ 
+-static int dhcp6_no_relay(struct state *state, int msg_type, void *inbuff, size_t sz, int is_unicast, time_t now)
+static int dhcp6_no_relay(struct state *state, int msg_type, unsigned char *inbuff, size_t sz, int is_unicast, time_t now)
+ {
+   void *opt;
+-  int i, o, o1, start_opts;
+  int i, o, o1, start_opts, start_msg;
+   struct dhcp_opt *opt_cfg;
+   struct dhcp_netid *tagif;
+   struct dhcp_config *config = NULL;
+   struct dhcp_netid known_id, iface_id, v6_id;
+-  unsigned char *outmsgtypep;
+  unsigned char outmsgtype;
+   struct dhcp_vendor *vendor;
+   struct dhcp_context *context_tmp;
+   struct dhcp_mac *mac_opt;
+@@ -296,12 +296,13 @@ static int dhcp6_no_relay(struct state *state, int msg_type, void *inbuff, size_
+   v6_id.next = state->tags;
+   state->tags = &v6_id;
+ 
+-  /* copy over transaction-id, and save pointer to message type */
+-  if (!(outmsgtypep = put_opt6(inbuff, 4)))
+  start_msg = save_counter(-1);
+  /* copy over transaction-id */
+  if (!put_opt6(inbuff, 4))
+     return 0;
+   start_opts = save_counter(-1);
+-  state->xid = outmsgtypep[3] | outmsgtypep[2] << 8 | outmsgtypep[1] << 16;
+-   
+  state->xid = inbuff[3] | inbuff[2] << 8 | inbuff[1] << 16;
+
+   /* We're going to be linking tags from all context we use. 
+      mark them as unused so we don't link one twice and break the list */
+   for (context_tmp = state->context; context_tmp; context_tmp = context_tmp->current)
+@@ -347,7 +348,7 @@ static int dhcp6_no_relay(struct state *state, int msg_type, void *inbuff, size_
+       (msg_type == DHCP6REQUEST || msg_type == DHCP6RENEW || msg_type == DHCP6RELEASE || msg_type == DHCP6DECLINE))
+     
+     {  
+-      *outmsgtypep = DHCP6REPLY;
+      outmsgtype = DHCP6REPLY;
+       o1 = new_opt6(OPTION6_STATUS_CODE);
+       put_opt6_short(DHCP6USEMULTI);
+       put_opt6_string("Use multicast");
+@@ -619,11 +620,11 @@ static int dhcp6_no_relay(struct state *state, int msg_type, void *inbuff, size_
+        struct dhcp_netid *solicit_tags;
+        struct dhcp_context *c;
+        
+-       *outmsgtypep = DHCP6ADVERTISE;
+       outmsgtype = DHCP6ADVERTISE;
+        
+        if (opt6_find(state->packet_options, state->end, OPTION6_RAPID_COMMIT, 0))
+          {
+-           *outmsgtypep = DHCP6REPLY;
+           outmsgtype = DHCP6REPLY;
+            state->lease_allocate = 1;
+            o = new_opt6(OPTION6_RAPID_COMMIT);
+            end_opt6(o);
+@@ -809,7 +810,7 @@ static int dhcp6_no_relay(struct state *state, int msg_type, void *inbuff, size_
+        int start = save_counter(-1);
+ 
+        /* set reply message type */
+-       *outmsgtypep = DHCP6REPLY;
+       outmsgtype = DHCP6REPLY;
+        state->lease_allocate = 1;
+ 
+        log6_quiet(state, "DHCPREQUEST", NULL, ignore ? _("ignored") : NULL);
+@@ -921,7 +922,7 @@ static int dhcp6_no_relay(struct state *state, int msg_type, void *inbuff, size_
+     case DHCP6RENEW:
+       {
+        /* set reply message type */
+-       *outmsgtypep = DHCP6REPLY;
+       outmsgtype = DHCP6REPLY;
+        
+        log6_quiet(state, "DHCPRENEW", NULL, NULL);
+ 
+@@ -1033,7 +1034,7 @@ static int dhcp6_no_relay(struct state *state, int msg_type, void *inbuff, size_
+        int good_addr = 0;
+ 
+        /* set reply message type */
+-       *outmsgtypep = DHCP6REPLY;
+       outmsgtype = DHCP6REPLY;
+        
+        log6_quiet(state, "DHCPCONFIRM", NULL, NULL);
+        
+@@ -1097,7 +1098,7 @@ static int dhcp6_no_relay(struct state *state, int msg_type, void *inbuff, size_
+        log6_quiet(state, "DHCPINFORMATION-REQUEST", NULL, ignore ? _("ignored") : state->hostname);
+        if (ignore)
+          return 0;
+-       *outmsgtypep = DHCP6REPLY;
+       outmsgtype = DHCP6REPLY;
+        tagif = add_options(state, 1);
+        break;
+       }
+@@ -1106,7 +1107,7 @@ static int dhcp6_no_relay(struct state *state, int msg_type, void *inbuff, size_
+     case DHCP6RELEASE:
+       {
+        /* set reply message type */
+-       *outmsgtypep = DHCP6REPLY;
+       outmsgtype = DHCP6REPLY;
+ 
+        log6_quiet(state, "DHCPRELEASE", NULL, NULL);
+ 
+@@ -1171,7 +1172,7 @@ static int dhcp6_no_relay(struct state *state, int msg_type, void *inbuff, size_
+     case DHCP6DECLINE:
+       {
+        /* set reply message type */
+-       *outmsgtypep = DHCP6REPLY;
+       outmsgtype = DHCP6REPLY;
+        
+        log6_quiet(state, "DHCPDECLINE", NULL, NULL);
+ 
+@@ -1251,7 +1252,12 @@ static int dhcp6_no_relay(struct state *state, int msg_type, void *inbuff, size_
+       }
+ 
+     }
+-  
+
+  /* Fill in the message type. Note that we store the offset,
+     not a direct pointer, since the packet memory may have been
+     reallocated. */
+  ((unsigned char *)(daemon->outpacket.iov_base))[start_msg] = outmsgtype;
+
+   log_tags(tagif, state->xid);
+   log6_opts(0, state->xid, daemon->outpacket.iov_base + start_opts, daemon->outpacket.iov_base + save_counter(-1));
+   
+-- 
+2.25.1
diff --git a/meta-networking/recipes-support/dnsmasq/dnsmasq_2.81.bb b/meta-networking/recipes-support/dnsmasq/dnsmasq_2.81.bb
index 2fb389915b..8db57edb79 100644
--- a/meta-networking/recipes-support/dnsmasq/dnsmasq_2.81.bb
+++ b/meta-networking/recipes-support/dnsmasq/dnsmasq_2.81.bb
@@ -11,4 +11,5 @@ SRC_URI += "\
    file://CVE-2020-25686-1.patch \
    file://CVE-2020-25686-2.patch \
    file://CVE-2021-3448.patch \
+    file://CVE-2022-0934.patch \
 "
author	Hitendra Prajapati <hprajapati@mvista.com>	2022-09-23 10:05:10 +0530
committer	Armin Kuster <akuster808@gmail.com>	2022-10-30 14:47:43 -0400
commit	8377de16245ae355dfe528bb69a7dae391f79331 (patch)
tree	4e99aaf06368a6c8485e709bcb743052f0f7bcc2
parent	62842aac9810b9d430ca3621d9e909be653954ae (diff)
download	meta-openembedded-8377de16245ae355dfe528bb69a7dae391f79331.tar.gz

diff --git a/meta-networking/recipes-support/dnsmasq/dnsmasq/CVE-2022-0934.patch b/meta-networking/recipes-support/dnsmasq/dnsmasq/CVE-2022-0934.patch new file mode 100644 index 0000000000..b2ef22c06f --- /dev/null +++ b/meta-networking/recipes-support/dnsmasq/dnsmasq/CVE-2022-0934.patch
@@ -0,0 +1,188 @@
		1	From 70df9f9104c8f0661966298b58caf794b99e26e1 Mon Sep 17 00:00:00 2001
		2	From: Hitendra Prajapati <hprajapati@mvista.com>
		3	Date: Thu, 22 Sep 2022 17:39:21 +0530
		4	Subject: [PATCH] CVE-2022-0934
		5
		6	Upstream-Status: Backport [https://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=commit;h=03345ecefeb0d82e3c3a4c28f27c3554f0611b39]
		7	CVE: CVE-2022-0934
		8	Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
		9	---
		10	CHANGELOG \| 2 ++
		11	src/rfc3315.c \| 48 +++++++++++++++++++++++++++---------------------
		12	2 files changed, 29 insertions(+), 21 deletions(-)
		13
		14	diff --git a/CHANGELOG b/CHANGELOG
		15	index 60b08d0..d1d7e41 100644
		16	--- a/CHANGELOG
		17	+++ b/CHANGELOG
		18	@@ -88,6 +88,8 @@ version 2.81
		19
		20	Add --script-on-renewal option.
		21
		22	+ Fix write-after-free error in DHCPv6 server code.
		23	+ CVE-2022-0934 refers.
		24
		25	version 2.80
		26	Add support for RFC 4039 DHCP rapid commit. Thanks to Ashram Method
		27	diff --git a/src/rfc3315.c b/src/rfc3315.c
		28	index b3f0a0a..eef1360 100644
		29	--- a/src/rfc3315.c
		30	+++ b/src/rfc3315.c
		31	@@ -33,9 +33,9 @@ struct state {
		32	unsigned int mac_len, mac_type;
		33	};
		34
		35	-static int dhcp6_maybe_relay(struct state state, void inbuff, size_t sz,
		36	+static int dhcp6_maybe_relay(struct state state, unsigned char inbuff, size_t sz,
		37	struct in6_addr *client_addr, int is_unicast, time_t now);
		38	-static int dhcp6_no_relay(struct state state, int msg_type, void inbuff, size_t sz, int is_unicast, time_t now);
		39	+static int dhcp6_no_relay(struct state state, int msg_type, unsigned char inbuff, size_t sz, int is_unicast, time_t now);
		40	static void log6_opts(int nest, unsigned int xid, void start_opts, void end_opts);
		41	static void log6_packet(struct state state, char type, struct in6_addr addr, char string);
		42	static void log6_quiet(struct state state, char type, struct in6_addr addr, char string);
		43	@@ -104,12 +104,12 @@ unsigned short dhcp6_reply(struct dhcp_context context, int interface, char if
		44	}
		45
		46	/* This cost me blood to write, it will probably cost you blood to understand - srk. */
		47	-static int dhcp6_maybe_relay(struct state state, void inbuff, size_t sz,
		48	+static int dhcp6_maybe_relay(struct state state, unsigned char inbuff, size_t sz,
		49	struct in6_addr *client_addr, int is_unicast, time_t now)
		50	{
		51	void *end = inbuff + sz;
		52	void *opts = inbuff + 34;
		53	- int msg_type = ((unsigned char )inbuff);
		54	+ int msg_type = *inbuff;
		55	unsigned char *outmsgtypep;
		56	void *opt;
		57	struct dhcp_vendor *vendor;
		58	@@ -259,15 +259,15 @@ static int dhcp6_maybe_relay(struct state state, void inbuff, size_t sz,
		59	return 1;
		60	}
		61
		62	-static int dhcp6_no_relay(struct state state, int msg_type, void inbuff, size_t sz, int is_unicast, time_t now)
		63	+static int dhcp6_no_relay(struct state state, int msg_type, unsigned char inbuff, size_t sz, int is_unicast, time_t now)
		64	{
		65	void *opt;
		66	- int i, o, o1, start_opts;
		67	+ int i, o, o1, start_opts, start_msg;
		68	struct dhcp_opt *opt_cfg;
		69	struct dhcp_netid *tagif;
		70	struct dhcp_config *config = NULL;
		71	struct dhcp_netid known_id, iface_id, v6_id;
		72	- unsigned char *outmsgtypep;
		73	+ unsigned char outmsgtype;
		74	struct dhcp_vendor *vendor;
		75	struct dhcp_context *context_tmp;
		76	struct dhcp_mac *mac_opt;
		77	@@ -296,12 +296,13 @@ static int dhcp6_no_relay(struct state state, int msg_type, void inbuff, size_
		78	v6_id.next = state->tags;
		79	state->tags = &v6_id;
		80
		81	- /* copy over transaction-id, and save pointer to message type */
		82	- if (!(outmsgtypep = put_opt6(inbuff, 4)))
		83	+ start_msg = save_counter(-1);
		84	+ /* copy over transaction-id */
		85	+ if (!put_opt6(inbuff, 4))
		86	return 0;
		87	start_opts = save_counter(-1);
		88	- state->xid = outmsgtypep[3] \| outmsgtypep[2] << 8 \| outmsgtypep[1] << 16;
		89	-
		90	+ state->xid = inbuff[3] \| inbuff[2] << 8 \| inbuff[1] << 16;
		91	+
		92	/* We're going to be linking tags from all context we use.
		93	mark them as unused so we don't link one twice and break the list */
		94	for (context_tmp = state->context; context_tmp; context_tmp = context_tmp->current)
		95	@@ -347,7 +348,7 @@ static int dhcp6_no_relay(struct state state, int msg_type, void inbuff, size_
		96	(msg_type == DHCP6REQUEST \|\| msg_type == DHCP6RENEW \|\| msg_type == DHCP6RELEASE \|\| msg_type == DHCP6DECLINE))
		97
		98	{
		99	- *outmsgtypep = DHCP6REPLY;
		100	+ outmsgtype = DHCP6REPLY;
		101	o1 = new_opt6(OPTION6_STATUS_CODE);
		102	put_opt6_short(DHCP6USEMULTI);
		103	put_opt6_string("Use multicast");
		104	@@ -619,11 +620,11 @@ static int dhcp6_no_relay(struct state state, int msg_type, void inbuff, size_
		105	struct dhcp_netid *solicit_tags;
		106	struct dhcp_context *c;
		107
		108	- *outmsgtypep = DHCP6ADVERTISE;
		109	+ outmsgtype = DHCP6ADVERTISE;
		110
		111	if (opt6_find(state->packet_options, state->end, OPTION6_RAPID_COMMIT, 0))
		112	{
		113	- *outmsgtypep = DHCP6REPLY;
		114	+ outmsgtype = DHCP6REPLY;
		115	state->lease_allocate = 1;
		116	o = new_opt6(OPTION6_RAPID_COMMIT);
		117	end_opt6(o);
		118	@@ -809,7 +810,7 @@ static int dhcp6_no_relay(struct state state, int msg_type, void inbuff, size_
		119	int start = save_counter(-1);
		120
		121	/* set reply message type */
		122	- *outmsgtypep = DHCP6REPLY;
		123	+ outmsgtype = DHCP6REPLY;
		124	state->lease_allocate = 1;
		125
		126	log6_quiet(state, "DHCPREQUEST", NULL, ignore ? _("ignored") : NULL);
		127	@@ -921,7 +922,7 @@ static int dhcp6_no_relay(struct state state, int msg_type, void inbuff, size_
		128	case DHCP6RENEW:
		129	{
		130	/* set reply message type */
		131	- *outmsgtypep = DHCP6REPLY;
		132	+ outmsgtype = DHCP6REPLY;
		133
		134	log6_quiet(state, "DHCPRENEW", NULL, NULL);
		135
		136	@@ -1033,7 +1034,7 @@ static int dhcp6_no_relay(struct state state, int msg_type, void inbuff, size_
		137	int good_addr = 0;
		138
		139	/* set reply message type */
		140	- *outmsgtypep = DHCP6REPLY;
		141	+ outmsgtype = DHCP6REPLY;
		142
		143	log6_quiet(state, "DHCPCONFIRM", NULL, NULL);
		144
		145	@@ -1097,7 +1098,7 @@ static int dhcp6_no_relay(struct state state, int msg_type, void inbuff, size_
		146	log6_quiet(state, "DHCPINFORMATION-REQUEST", NULL, ignore ? _("ignored") : state->hostname);
		147	if (ignore)
		148	return 0;
		149	- *outmsgtypep = DHCP6REPLY;
		150	+ outmsgtype = DHCP6REPLY;
		151	tagif = add_options(state, 1);
		152	break;
		153	}
		154	@@ -1106,7 +1107,7 @@ static int dhcp6_no_relay(struct state state, int msg_type, void inbuff, size_
		155	case DHCP6RELEASE:
		156	{
		157	/* set reply message type */
		158	- *outmsgtypep = DHCP6REPLY;
		159	+ outmsgtype = DHCP6REPLY;
		160
		161	log6_quiet(state, "DHCPRELEASE", NULL, NULL);
		162
		163	@@ -1171,7 +1172,7 @@ static int dhcp6_no_relay(struct state state, int msg_type, void inbuff, size_
		164	case DHCP6DECLINE:
		165	{
		166	/* set reply message type */
		167	- *outmsgtypep = DHCP6REPLY;
		168	+ outmsgtype = DHCP6REPLY;
		169
		170	log6_quiet(state, "DHCPDECLINE", NULL, NULL);
		171
		172	@@ -1251,7 +1252,12 @@ static int dhcp6_no_relay(struct state state, int msg_type, void inbuff, size_
		173	}
		174
		175	}
		176	-
		177	+
		178	+ /* Fill in the message type. Note that we store the offset,
		179	+ not a direct pointer, since the packet memory may have been
		180	+ reallocated. */
		181	+ ((unsigned char *)(daemon->outpacket.iov_base))[start_msg] = outmsgtype;
		182	+
		183	log_tags(tagif, state->xid);
		184	log6_opts(0, state->xid, daemon->outpacket.iov_base + start_opts, daemon->outpacket.iov_base + save_counter(-1));
		185
		186	--
		187	2.25.1
		188


diff --git a/meta-networking/recipes-support/dnsmasq/dnsmasq_2.81.bb b/meta-networking/recipes-support/dnsmasq/dnsmasq_2.81.bb index 2fb389915b..8db57edb79 100644 --- a/meta-networking/recipes-support/dnsmasq/dnsmasq_2.81.bb +++ b/meta-networking/recipes-support/dnsmasq/dnsmasq_2.81.bb
@@ -11,4 +11,5 @@ SRC_URI += "\
11	file://CVE-2020-25686-1.patch \	11	file://CVE-2020-25686-1.patch \
12	file://CVE-2020-25686-2.patch \	12	file://CVE-2020-25686-2.patch \
13	file://CVE-2021-3448.patch \	13	file://CVE-2021-3448.patch \
		14	file://CVE-2022-0934.patch \
14	"	15	"