diff options
author | Jakub Jirutka <jakub@jirutka.cz> | 2017-10-02 18:51:54 +0000 |
---|---|---|
committer | Jakub Jirutka <jakub@jirutka.cz> | 2017-10-02 21:00:42 +0200 |
commit | e2b7176ff9d902f7e8837d4a7ef0d560c903fc35 (patch) | |
tree | 8b6abdd175f84224f47a6e5caa4480e3c066c255 /main/dnsmasq/CVE-2017-14491-2.patch | |
parent | 38c5d19a2966f1e4b392e88a4a05455300a33eed (diff) |
main/dnsmasq: backport patches for CVE-2017-14491..14496
Diffstat (limited to 'main/dnsmasq/CVE-2017-14491-2.patch')
-rw-r--r-- | main/dnsmasq/CVE-2017-14491-2.patch | 68 |
1 files changed, 68 insertions, 0 deletions
diff --git a/main/dnsmasq/CVE-2017-14491-2.patch b/main/dnsmasq/CVE-2017-14491-2.patch new file mode 100644 index 00000000000..d72b07759db --- /dev/null +++ b/main/dnsmasq/CVE-2017-14491-2.patch @@ -0,0 +1,68 @@ +From 62cb936cb7ad5f219715515ae7d32dd281a5aa1f Mon Sep 17 00:00:00 2001 +From: Simon Kelley <simon@thekelleys.org.uk> +Date: Tue, 26 Sep 2017 22:00:11 +0100 +Subject: [PATCH] Security fix, CVE-2017-14491, DNS heap buffer overflow. + +Further fix to 0549c73b7ea6b22a3c49beb4d432f185a81efcbc +Handles case when RR name is not a pointer to the question, +only occurs for some auth-mode replies, therefore not +detected by fuzzing (?) +--- + src/rfc1035.c | 27 +++++++++++++++------------ + 1 file changed, 15 insertions(+), 12 deletions(-) + +diff --git a/src/rfc1035.c b/src/rfc1035.c +index 27af023..56ab88b 100644 +--- a/src/rfc1035.c ++++ b/src/rfc1035.c +@@ -1086,32 +1086,35 @@ int add_resource_record(struct dns_header *header, char *limit, int *truncp, int + + va_start(ap, format); /* make ap point to 1st unamed argument */ + +- /* nameoffset (1 or 2) + type (2) + class (2) + ttl (4) + 0 (2) */ +- CHECK_LIMIT(12); +- + if (nameoffset > 0) + { ++ CHECK_LIMIT(2); + PUTSHORT(nameoffset | 0xc000, p); + } + else + { + char *name = va_arg(ap, char *); +- if (name) +- p = do_rfc1035_name(p, name, limit); +- if (!p) +- { +- va_end(ap); +- goto truncated; +- } +- ++ if (name && !(p = do_rfc1035_name(p, name, limit))) ++ { ++ va_end(ap); ++ goto truncated; ++ } ++ + if (nameoffset < 0) + { ++ CHECK_LIMIT(2); + PUTSHORT(-nameoffset | 0xc000, p); + } + else +- *p++ = 0; ++ { ++ CHECK_LIMIT(1); ++ *p++ = 0; ++ } + } + ++ /* type (2) + class (2) + ttl (4) + rdlen (2) */ ++ CHECK_LIMIT(10); ++ + PUTSHORT(type, p); + PUTSHORT(class, p); + PUTLONG(ttl, p); /* TTL */ +-- +2.9.5 + |