Fix NSEC bitmap parsing infinite loop (CVE-2026-4890)
Resolves-Vulnerability: CVE-2026-4890 Resolves: RHEL-168291
This commit is contained in:
parent
fcd7e2ba0b
commit
1204bcb34e
70
dnsmasq-2.93-CVE-2026-4890.patch
Normal file
70
dnsmasq-2.93-CVE-2026-4890.patch
Normal file
@ -0,0 +1,70 @@
|
||||
From 09fe631edd6d95630efc11bec8c5017705e68a10 Mon Sep 17 00:00:00 2001
|
||||
From: Simon Kelley <simon@thekelleys.org.uk>
|
||||
Date: Fri, 10 Apr 2026 22:16:45 +0100
|
||||
Subject: [PATCH 2/5] Fix NSEC bitmap parsing infinite loop. CVE-2026-4890
|
||||
|
||||
Report from Royce M <royce@xchglabs.com>.
|
||||
|
||||
Location: dnssec.c:1290-1306, dnssec.c:1450-1463
|
||||
|
||||
The bitmap window iteration advances by p[1] instead of p[1]+2 (missing the 2-byte window header). With bitmap_length=0, both rdlen and p are
|
||||
unchanged, causing an infinite loop and dnsmasq stops responding to all queries.
|
||||
|
||||
The same code accesses p[2] after only checking rdlen >= 2 without verifying p[1] >= 1, causing OOB reads at 6 locations.
|
||||
|
||||
Both bugs are reachable before RRSIG validation (confirmed by the source comment at line 2125), so no valid DNSSEC signatures are needed.
|
||||
---
|
||||
src/dnssec.c | 14 +++++++-------
|
||||
1 file changed, 7 insertions(+), 7 deletions(-)
|
||||
|
||||
diff --git a/src/dnssec.c b/src/dnssec.c
|
||||
index ed2f53f..68f1b5d 100644
|
||||
--- a/src/dnssec.c
|
||||
+++ b/src/dnssec.c
|
||||
@@ -1270,10 +1270,10 @@ static int prove_non_existence_nsec(struct dns_header *header, size_t plen, unsi
|
||||
packet checked to be as long as rdlen implies in prove_non_existence() */
|
||||
|
||||
/* If we can prove that there's no NS record, return that information. */
|
||||
- if (nons && rdlen >= 2 && p[0] == 0 && (p[2] & (0x80 >> T_NS)) != 0)
|
||||
+ if (nons && rdlen >= 2 && p[0] == 0 && p[1] >= 1 && (p[2] & (0x80 >> T_NS)) != 0)
|
||||
*nons = 0;
|
||||
|
||||
- if (rdlen >= 2 && p[0] == 0)
|
||||
+ if (rdlen >= 2 && p[0] == 0 && p[1] >= 1)
|
||||
{
|
||||
/* A CNAME answer would also be valid, so if there's a CNAME is should
|
||||
have been returned. */
|
||||
@@ -1301,8 +1301,8 @@ static int prove_non_existence_nsec(struct dns_header *header, size_t plen, unsi
|
||||
break; /* finished checking */
|
||||
}
|
||||
|
||||
- rdlen -= p[1];
|
||||
- p += p[1];
|
||||
+ rdlen -= p[1] + 2;
|
||||
+ p += p[1] + 2;
|
||||
}
|
||||
|
||||
return 0;
|
||||
@@ -1429,7 +1429,7 @@ static int check_nsec3_coverage(struct dns_header *header, size_t plen, int dige
|
||||
p += hash_len; /* skip next-domain hash */
|
||||
rdlen -= p - psave;
|
||||
|
||||
- if (rdlen >= 2 && p[0] == 0)
|
||||
+ if (rdlen >= 2 && p[0] == 0 && p[1] >= 1)
|
||||
{
|
||||
/* If we can prove that there's no NS record, return that information. */
|
||||
if (nons && (p[2] & (0x80 >> T_NS)) != 0)
|
||||
@@ -1458,8 +1458,8 @@ static int check_nsec3_coverage(struct dns_header *header, size_t plen, int dige
|
||||
break; /* finished checking */
|
||||
}
|
||||
|
||||
- rdlen -= p[1];
|
||||
- p += p[1];
|
||||
+ rdlen -= p[1] + 2;
|
||||
+ p += p[1] + 2;
|
||||
}
|
||||
|
||||
return 1;
|
||||
--
|
||||
2.54.0
|
||||
|
||||
@ -80,6 +80,7 @@ Patch18: dnsmasq-2.87-filter-AAAA.patch
|
||||
# http://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=commit;h=5a9eae429a7d0680d606f03f2759d7dde0bbe3f0
|
||||
Patch19: dnsmasq-2.89-filter-AAAA-improve.patch
|
||||
Patch20: dnsmasq-2.93-CVE-2026-2291.patch
|
||||
Patch21: dnsmasq-2.93-CVE-2026-4890.patch
|
||||
|
||||
# This is workaround to nettle bug #1549190
|
||||
# https://bugzilla.redhat.com/show_bug.cgi?id=1549190
|
||||
@ -229,6 +230,7 @@ install -Dpm 644 %{SOURCE5} %{buildroot}%{_tmpfilesdir}/%{name}.conf
|
||||
%changelog
|
||||
* Tue May 05 2026 Petr Menšík <pemensik@redhat.com> - 2.85-19
|
||||
- Prevent overflow in extract_name function (CVE-2026-2291)
|
||||
- Prevent DoS in DNSSEC validation (CVE-2026-4890)
|
||||
|
||||
* Thu Dec 11 2025 Fedor Vorobev <fvorobev@redhat.com> - 2.85-18
|
||||
- Added installation of tmpfiles config.
|
||||
|
||||
Loading…
Reference in New Issue
Block a user