diff options
author | Zhang Xiao <xiao.zhang@windriver.com> | 2018-05-04 15:04:33 -0700 |
---|---|---|
committer | Armin Kuster <akuster808@gmail.com> | 2018-05-28 19:08:25 -0700 |
commit | 997caf9146cd3797cd054e2adebd1fbb4df91911 (patch) | |
tree | 5d5988e851ef380998840df86af7a5b799107bc9 /meta-networking/recipes-support/dnsmasq/dnsmasq/dnsmasq-CVE-2017-14496.patch | |
parent | 2628a2ccacc3bb0256df97ef4b0245f685485c78 (diff) | |
download | meta-openembedded-contrib-997caf9146cd3797cd054e2adebd1fbb4df91911.tar.gz |
dnsmasq: backport CVE fixes from dnsmasq 2.78stable/morty-next
CVE-2017-1449{1-6}
Signed-off-by: Zhang Xiao <xiao.zhang@windriver.com>
Signed-off-by: Joe Slater <joe.slater@windriver.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Diffstat (limited to 'meta-networking/recipes-support/dnsmasq/dnsmasq/dnsmasq-CVE-2017-14496.patch')
-rw-r--r-- | meta-networking/recipes-support/dnsmasq/dnsmasq/dnsmasq-CVE-2017-14496.patch | 73 |
1 files changed, 73 insertions, 0 deletions
diff --git a/meta-networking/recipes-support/dnsmasq/dnsmasq/dnsmasq-CVE-2017-14496.patch b/meta-networking/recipes-support/dnsmasq/dnsmasq/dnsmasq-CVE-2017-14496.patch new file mode 100644 index 0000000000..fc50ef0848 --- /dev/null +++ b/meta-networking/recipes-support/dnsmasq/dnsmasq/dnsmasq-CVE-2017-14496.patch @@ -0,0 +1,73 @@ +From c25545680679a12d78dd80662ed1bc5d97a38d6d Mon Sep 17 00:00:00 2001 +From: Simon Kelley <simon@thekelleys.org.uk> +Date: Mon, 25 Sep 2017 20:11:58 +0100 +Subject: [PATCH 5/7] Security fix, CVE-2017-14496, Integer underflow in DNS + response creation. + +commit 897c113fda0886a28a986cc6ba17bb93bd6cb1c7 upstream +git://thekelleys.org.uk/dnsmasq + +Fix DoS in DNS. Invalid boundary checks in the +add_pseudoheader function allows a memcpy call with negative +size An attacker which can send malicious DNS queries +to dnsmasq can trigger a DoS remotely. +dnsmasq is vulnerable only if one of the following option is +specified: --add-mac, --add-cpe-id or --add-subnet. + +Upstream-Status: Backport + +Signed-off-by: Zhang Xiao <xiao.zhang@windriver.com> +--- + src/edns0.c | 13 ++++++++++++- + 1 file changed, 12 insertions(+), 1 deletion(-) + +diff --git a/src/edns0.c b/src/edns0.c +index c7a101e..a2ef0ea 100644 +--- a/src/edns0.c ++++ b/src/edns0.c +@@ -144,7 +144,7 @@ size_t add_pseudoheader(struct dns_header *header, size_t plen, unsigned char *l + GETSHORT(len, p); + + /* malformed option, delete the whole OPT RR and start again. */ +- if (i + len > rdlen) ++ if (i + 4 + len > rdlen) + { + rdlen = 0; + is_last = 0; +@@ -193,6 +193,8 @@ size_t add_pseudoheader(struct dns_header *header, size_t plen, unsigned char *l + ntohs(header->ancount) + ntohs(header->nscount) + ntohs(header->arcount), + header, plen))) + return plen; ++ if (p + 11 > limit) ++ return plen; /* Too big */ + *p++ = 0; /* empty name */ + PUTSHORT(T_OPT, p); + PUTSHORT(udp_sz, p); /* max packet length, 512 if not given in EDNS0 header */ +@@ -204,6 +206,11 @@ size_t add_pseudoheader(struct dns_header *header, size_t plen, unsigned char *l + /* Copy back any options */ + if (buff) + { ++ if (p + rdlen > limit) ++ { ++ free(buff); ++ return plen; /* Too big */ ++ } + memcpy(p, buff, rdlen); + free(buff); + p += rdlen; +@@ -217,8 +224,12 @@ size_t add_pseudoheader(struct dns_header *header, size_t plen, unsigned char *l + /* Add new option */ + if (optno != 0 && replace != 2) + { ++ if (p + 4 > limit) ++ return plen; /* Too big */ + PUTSHORT(optno, p); + PUTSHORT(optlen, p); ++ if (p + optlen > limit) ++ return plen; /* Too big */ + memcpy(p, opt, optlen); + p += optlen; + PUTSHORT(p - datap, lenp); +-- +2.11.0 + |