diff options
Diffstat (limited to 'main/dnsmasq/CVE-2017-14496.patch')
-rw-r--r-- | main/dnsmasq/CVE-2017-14496.patch | 66 |
1 files changed, 66 insertions, 0 deletions
diff --git a/main/dnsmasq/CVE-2017-14496.patch b/main/dnsmasq/CVE-2017-14496.patch new file mode 100644 index 00000000000..85ac34202bc --- /dev/null +++ b/main/dnsmasq/CVE-2017-14496.patch @@ -0,0 +1,66 @@ +From 897c113fda0886a28a986cc6ba17bb93bd6cb1c7 Mon Sep 17 00:00:00 2001 +From: Simon Kelley <simon@thekelleys.org.uk> +Date: Mon, 25 Sep 2017 20:11:58 +0100 +Subject: [PATCH] Security fix, CVE-2017-14496, Integer underflow in DNS + response creation. + +Fix DoS in DNS. Invalid boundary checks in the +add_pseudoheader function allows a memcpy call with negative +size An attacker which can send malicious DNS queries +to dnsmasq can trigger a DoS remotely. +dnsmasq is vulnerable only if one of the following option is +specified: --add-mac, --add-cpe-id or --add-subnet. +--- + src/edns0.c | 13 ++++++++++++- + 1 file changed, 12 insertions(+), 1 deletion(-) + +diff --git a/src/edns0.c b/src/edns0.c +index f5b798c..95b74ee 100644 +--- a/src/edns0.c ++++ b/src/edns0.c +@@ -144,7 +144,7 @@ size_t add_pseudoheader(struct dns_header *header, size_t plen, unsigned char *l + GETSHORT(len, p); + + /* malformed option, delete the whole OPT RR and start again. */ +- if (i + len > rdlen) ++ if (i + 4 + len > rdlen) + { + rdlen = 0; + is_last = 0; +@@ -193,6 +193,8 @@ size_t add_pseudoheader(struct dns_header *header, size_t plen, unsigned char *l + ntohs(header->ancount) + ntohs(header->nscount) + ntohs(header->arcount), + header, plen))) + return plen; ++ if (p + 11 > limit) ++ return plen; /* Too big */ + *p++ = 0; /* empty name */ + PUTSHORT(T_OPT, p); + PUTSHORT(udp_sz, p); /* max packet length, 512 if not given in EDNS0 header */ +@@ -204,6 +206,11 @@ size_t add_pseudoheader(struct dns_header *header, size_t plen, unsigned char *l + /* Copy back any options */ + if (buff) + { ++ if (p + rdlen > limit) ++ { ++ free(buff); ++ return plen; /* Too big */ ++ } + memcpy(p, buff, rdlen); + free(buff); + p += rdlen; +@@ -220,8 +227,12 @@ size_t add_pseudoheader(struct dns_header *header, size_t plen, unsigned char *l + /* Add new option */ + if (optno != 0 && replace != 2) + { ++ if (p + 4 > limit) ++ return plen; /* Too big */ + PUTSHORT(optno, p); + PUTSHORT(optlen, p); ++ if (p + optlen > limit) ++ return plen; /* Too big */ + memcpy(p, opt, optlen); + p += optlen; + PUTSHORT(p - datap, lenp); +-- +2.9.5 + |