1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
|
From e441ac5247cf8252ac8db08d53862af4065d9586 Mon Sep 17 00:00:00 2001
From: Simon Kelley <simon@thekelleys.org.uk>
Date: Tue, 26 Sep 2017 22:00:11 +0100
Subject: [PATCH 7/7] Security fix, CVE-2017-14491, DNS heap buffer overflow.
commit 62cb936cb7ad5f219715515ae7d32dd281a5aa1f upstream
git://thekelleys.org.uk/dnsmasq
Further fix to 0549c73b7ea6b22a3c49beb4d432f185a81efcbc
Handles case when RR name is not a pointer to the question,
only occurs for some auth-mode replies, therefore not
detected by fuzzing (?)
Upstream-Status: Backport
Signed-off-by: Zhang Xiao <xiao.zhang@windriver.com>
---
src/rfc1035.c | 27 +++++++++++++++------------
1 file changed, 15 insertions(+), 12 deletions(-)
diff --git a/src/rfc1035.c b/src/rfc1035.c
index 78410d6..e5628ba 100644
--- a/src/rfc1035.c
+++ b/src/rfc1035.c
@@ -1071,32 +1071,35 @@ int add_resource_record(struct dns_header *header, char *limit, int *truncp, int
va_start(ap, format); /* make ap point to 1st unamed argument */
- /* nameoffset (1 or 2) + type (2) + class (2) + ttl (4) + 0 (2) */
- CHECK_LIMIT(12);
-
if (nameoffset > 0)
{
+ CHECK_LIMIT(2);
PUTSHORT(nameoffset | 0xc000, p);
}
else
{
char *name = va_arg(ap, char *);
- if (name)
- p = do_rfc1035_name(p, name, limit);
- if (!p)
- {
- va_end(ap);
- goto truncated;
- }
-
+ if (name && !(p = do_rfc1035_name(p, name, limit)))
+ {
+ va_end(ap);
+ goto truncated;
+ }
+
if (nameoffset < 0)
{
+ CHECK_LIMIT(2);
PUTSHORT(-nameoffset | 0xc000, p);
}
else
- *p++ = 0;
+ {
+ CHECK_LIMIT(1);
+ *p++ = 0;
+ }
}
+ /* type (2) + class (2) + ttl (4) + rdlen (2) */
+ CHECK_LIMIT(10);
+
PUTSHORT(type, p);
PUTSHORT(class, p);
PUTLONG(ttl, p); /* TTL */
--
2.11.0
|
