aboutsummaryrefslogtreecommitdiffstats
path: root/meta-networking/recipes-support/dnsmasq/dnsmasq/dnsmasq-CVE-2017-14491-02.patch
diff options
context:
space:
mode:
Diffstat (limited to 'meta-networking/recipes-support/dnsmasq/dnsmasq/dnsmasq-CVE-2017-14491-02.patch')
-rw-r--r--meta-networking/recipes-support/dnsmasq/dnsmasq/dnsmasq-CVE-2017-14491-02.patch75
1 files changed, 75 insertions, 0 deletions
diff --git a/meta-networking/recipes-support/dnsmasq/dnsmasq/dnsmasq-CVE-2017-14491-02.patch b/meta-networking/recipes-support/dnsmasq/dnsmasq/dnsmasq-CVE-2017-14491-02.patch
new file mode 100644
index 000000000..3e73feb68
--- /dev/null
+++ b/meta-networking/recipes-support/dnsmasq/dnsmasq/dnsmasq-CVE-2017-14491-02.patch
@@ -0,0 +1,75 @@
+From e441ac5247cf8252ac8db08d53862af4065d9586 Mon Sep 17 00:00:00 2001
+From: Simon Kelley <simon@thekelleys.org.uk>
+Date: Tue, 26 Sep 2017 22:00:11 +0100
+Subject: [PATCH 7/7] Security fix, CVE-2017-14491, DNS heap buffer overflow.
+
+commit 62cb936cb7ad5f219715515ae7d32dd281a5aa1f upstream
+git://thekelleys.org.uk/dnsmasq
+
+Further fix to 0549c73b7ea6b22a3c49beb4d432f185a81efcbc
+Handles case when RR name is not a pointer to the question,
+only occurs for some auth-mode replies, therefore not
+detected by fuzzing (?)
+
+Upstream-Status: Backport
+
+Signed-off-by: Zhang Xiao <xiao.zhang@windriver.com>
+---
+ src/rfc1035.c | 27 +++++++++++++++------------
+ 1 file changed, 15 insertions(+), 12 deletions(-)
+
+diff --git a/src/rfc1035.c b/src/rfc1035.c
+index 78410d6..e5628ba 100644
+--- a/src/rfc1035.c
++++ b/src/rfc1035.c
+@@ -1071,32 +1071,35 @@ int add_resource_record(struct dns_header *header, char *limit, int *truncp, int
+
+ va_start(ap, format); /* make ap point to 1st unamed argument */
+
+- /* nameoffset (1 or 2) + type (2) + class (2) + ttl (4) + 0 (2) */
+- CHECK_LIMIT(12);
+-
+ if (nameoffset > 0)
+ {
++ CHECK_LIMIT(2);
+ PUTSHORT(nameoffset | 0xc000, p);
+ }
+ else
+ {
+ char *name = va_arg(ap, char *);
+- if (name)
+- p = do_rfc1035_name(p, name, limit);
+- if (!p)
+- {
+- va_end(ap);
+- goto truncated;
+- }
+-
++ if (name && !(p = do_rfc1035_name(p, name, limit)))
++ {
++ va_end(ap);
++ goto truncated;
++ }
++
+ if (nameoffset < 0)
+ {
++ CHECK_LIMIT(2);
+ PUTSHORT(-nameoffset | 0xc000, p);
+ }
+ else
+- *p++ = 0;
++ {
++ CHECK_LIMIT(1);
++ *p++ = 0;
++ }
+ }
+
++ /* type (2) + class (2) + ttl (4) + rdlen (2) */
++ CHECK_LIMIT(10);
++
+ PUTSHORT(type, p);
+ PUTSHORT(class, p);
+ PUTLONG(ttl, p); /* TTL */
+--
+2.11.0
+