aboutsummaryrefslogtreecommitdiffstats
path: root/meta-oe/recipes-support/c-ares/c-ares/ares_expand_name-should-escape-more-characters.patch
diff options
context:
space:
mode:
Diffstat (limited to 'meta-oe/recipes-support/c-ares/c-ares/ares_expand_name-should-escape-more-characters.patch')
-rw-r--r--meta-oe/recipes-support/c-ares/c-ares/ares_expand_name-should-escape-more-characters.patch90
1 files changed, 90 insertions, 0 deletions
diff --git a/meta-oe/recipes-support/c-ares/c-ares/ares_expand_name-should-escape-more-characters.patch b/meta-oe/recipes-support/c-ares/c-ares/ares_expand_name-should-escape-more-characters.patch
new file mode 100644
index 000000000..3603ef127
--- /dev/null
+++ b/meta-oe/recipes-support/c-ares/c-ares/ares_expand_name-should-escape-more-characters.patch
@@ -0,0 +1,90 @@
+From: bradh352 <brad@brad-house.com>
+Date: Fri, 11 Jun 2021 11:27:45 -0400
+Subject: [1/2] ares_expand_name() should escape more characters
+Origin: https://github.com/c-ares/c-ares/commit/362f91d807d293791008cdb7616d40f7784ece83
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2021-3672
+
+RFC1035 5.1 specifies some reserved characters and escaping sequences
+that are allowed to be specified. Expand the list of reserved characters
+and also escape non-printable characters using the \DDD format as
+specified in the RFC.
+
+Bug Reported By: philipp.jeitner@sit.fraunhofer.de
+Fix By: Brad House (@bradh352)
+CVE: CVE-2021-3672
+Upstream-Status: Backport [http://snapshot.debian.org/archive/debian-security/20210810T064453Z/pool/updates/main/c/c-ares/c-ares_1.17.1-1%2Bdeb11u1.debian.tar.xz]
+Signed-off-by: Neetika Singh <Neetika.Singh@kpit.com>
+---
+ ares_expand_name.c | 41 +++++++++++++++++++++++++++++++++++---
+ 1 file changed, 38 insertions(+), 3 deletions(-)
+
+diff --git a/ares_expand_name.c b/ares_expand_name.c
+index 407200ef5b4b..f1c874a97cfc 100644
+--- a/ares_expand_name.c
++++ b/ares_expand_name.c
+@@ -32,6 +32,26 @@
+ static int name_length(const unsigned char *encoded, const unsigned char *abuf,
+ int alen);
+
++/* Reserved characters for names that need to be escaped */
++static int is_reservedch(int ch)
++{
++ switch (ch) {
++ case '"':
++ case '.':
++ case ';':
++ case '\\':
++ case '(':
++ case ')':
++ case '@':
++ case '$':
++ return 1;
++ default:
++ break;
++ }
++
++ return 0;
++}
++
+ /* Expand an RFC1035-encoded domain name given by encoded. The
+ * containing message is given by abuf and alen. The result given by
+ * *s, which is set to a NUL-terminated allocated buffer. *enclen is
+@@ -111,9 +131,18 @@ int ares_expand_name(const unsigned char *encoded, const unsigned char *abuf,
+ p++;
+ while (len--)
+ {
+- if (*p == '.' || *p == '\\')
++ if (!isprint(*p)) {
++ /* Output as \DDD for consistency with RFC1035 5.1 */
++ *q++ = '\\';
++ *q++ = '0' + *p / 100;
++ *q++ = '0' + (*p % 100) / 10;
++ *q++ = '0' + (*p % 10);
++ } else if (is_reservedch(*p)) {
+ *q++ = '\\';
+- *q++ = *p;
++ *q++ = *p;
++ } else {
++ *q++ = *p;
++ }
+ p++;
+ }
+ *q++ = '.';
+@@ -171,7 +200,13 @@ static int name_length(const unsigned char *encoded, const unsigned char *abuf,
+ encoded++;
+ while (offset--)
+ {
+- n += (*encoded == '.' || *encoded == '\\') ? 2 : 1;
++ if (!isprint(*encoded)) {
++ n += 4;
++ } else if (is_reservedch(*encoded)) {
++ n += 2;
++ } else {
++ n += 1;
++ }
+ encoded++;
+ }
+ n++;
+--
+2.32.0
+