aboutsummaryrefslogtreecommitdiffstats
path: root/main/musl/CVE-2017-15650.patch
diff options
context:
space:
mode:
Diffstat (limited to 'main/musl/CVE-2017-15650.patch')
-rw-r--r--main/musl/CVE-2017-15650.patch32
1 files changed, 32 insertions, 0 deletions
diff --git a/main/musl/CVE-2017-15650.patch b/main/musl/CVE-2017-15650.patch
new file mode 100644
index 0000000000..7ac52fccd5
--- /dev/null
+++ b/main/musl/CVE-2017-15650.patch
@@ -0,0 +1,32 @@
+From 45ca5d3fcb6f874bf5ba55d0e9651cef68515395 Mon Sep 17 00:00:00 2001
+From: Rich Felker <dalias@aerifal.cx>
+Date: Wed, 18 Oct 2017 14:50:03 -0400
+Subject: in dns parsing callback, enforce MAXADDRS to preclude overflow
+
+MAXADDRS was chosen not to need enforcement, but the logic used to
+compute it assumes the answers received match the RR types of the
+queries. specifically, it assumes that only one replu contains A
+record answers. if the replies to both the A and the AAAA query have
+their answer sections filled with A records, MAXADDRS can be exceeded
+and clobber the stack of the calling function.
+
+this bug was found and reported by Felix Wilhelm.
+---
+ src/network/lookup_name.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/src/network/lookup_name.c b/src/network/lookup_name.c
+index 066be4d..209c20f 100644
+--- a/src/network/lookup_name.c
++++ b/src/network/lookup_name.c
+@@ -111,6 +111,7 @@ static int dns_parse_callback(void *c, int rr, const void *data, int len, const
+ {
+ char tmp[256];
+ struct dpc_ctx *ctx = c;
++ if (ctx->cnt >= MAXADDRS) return -1;
+ switch (rr) {
+ case RR_A:
+ if (len != 4) return -1;
+--
+cgit v0.11.2
+