aboutsummaryrefslogtreecommitdiffstats
path: root/main/dnsmasq/CVE-2017-14494.patch
diff options
context:
space:
mode:
Diffstat (limited to 'main/dnsmasq/CVE-2017-14494.patch')
-rw-r--r--main/dnsmasq/CVE-2017-14494.patch30
1 files changed, 30 insertions, 0 deletions
diff --git a/main/dnsmasq/CVE-2017-14494.patch b/main/dnsmasq/CVE-2017-14494.patch
new file mode 100644
index 0000000000..eeba01b8bd
--- /dev/null
+++ b/main/dnsmasq/CVE-2017-14494.patch
@@ -0,0 +1,30 @@
+From 33e3f1029c9ec6c63e430ff51063a6301d4b2262 Mon Sep 17 00:00:00 2001
+From: Simon Kelley <simon@thekelleys.org.uk>
+Date: Mon, 25 Sep 2017 20:05:11 +0100
+Subject: [PATCH] Security fix, CVE-2017-14494, Infoleak handling DHCPv6
+ forwarded requests.
+
+Fix information leak in DHCPv6. A crafted DHCPv6 packet can
+cause dnsmasq to forward memory from outside the packet
+buffer to a DHCPv6 server when acting as a relay.
+---
+ src/rfc3315.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/src/rfc3315.c b/src/rfc3315.c
+index 920907c..4ca43e0 100644
+--- a/src/rfc3315.c
++++ b/src/rfc3315.c
+@@ -216,6 +216,9 @@ static int dhcp6_maybe_relay(struct state *state, void *inbuff, size_t sz,
+
+ for (opt = opts; opt; opt = opt6_next(opt, end))
+ {
++ if (opt6_ptr(opt, 0) + opt6_len(opt) >= end) {
++ return 0;
++ }
+ int o = new_opt6(opt6_type(opt));
+ if (opt6_type(opt) == OPTION6_RELAY_MSG)
+ {
+--
+2.9.5
+