Fix buffer overflow in helper.c with large CLIDs (CVE-2026-4892)
Bug reported bt Royce M <royce@xchglabs.com>
Location: helper.c:265-270
DHCPv6 CLIDs can be up to 65535 bytes. When --dhcp-script is configured,
the helper hex-encodes raw CLID bytes via sprintf("%.2x") into daemon->packet (5131 bytes).
A 1000-byte CLID writes ~3000 bytes. The helper process retains root privileges.
Note: log6_packet() correctly caps CLID to 100 bytes for logging, but the helper code path was missed.
Resolves-Vulnerability: CVE-2026-4892
Resolves: RHEL-168313
This commit is contained in:
Petr Menšík
parent
cd2aa18d31
commit
2bcf829f3a
36
dnsmasq-2.93-CVE-2026-4892.patch
Normal file
36
dnsmasq-2.93-CVE-2026-4892.patch
Normal file
@ -0,0 +1,36 @@
|
||||
From e0a5f7bef040d25631ffff9abaf8424091b768bc Mon Sep 17 00:00:00 2001
|
||||
From: Simon Kelley <simon@thekelleys.org.uk>
|
||||
Date: Wed, 25 Mar 2026 23:16:35 +0000
|
||||
Subject: [PATCH 4/5] Fix buffer overflow in helper.c with large CLIDs.
|
||||
CVE-2026-4892
|
||||
|
||||
Bug reported bt Royce M <royce@xchglabs.com>
|
||||
|
||||
Location: helper.c:265-270
|
||||
DHCPv6 CLIDs can be up to 65535 bytes. When --dhcp-script is configured,
|
||||
the helper hex-encodes raw CLID bytes via sprintf("%.2x") into daemon->packet (5131 bytes).
|
||||
A 1000-byte CLID writes ~3000 bytes. The helper process retains root privileges.
|
||||
|
||||
Note: log6_packet() correctly caps CLID to 100 bytes for logging, but the helper code path was missed.
|
||||
---
|
||||
src/helper.c | 4 ++--
|
||||
1 file changed, 2 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/src/helper.c b/src/helper.c
|
||||
index b9da225..3a31e61 100644
|
||||
--- a/src/helper.c
|
||||
+++ b/src/helper.c
|
||||
@@ -261,8 +261,8 @@ int create_helper(int event_fd, int err_fd, uid_t uid, gid_t gid, long max_fd)
|
||||
data.hostname_len + data.ed_len + data.clid_len, 1))
|
||||
continue;
|
||||
|
||||
- /* CLID into packet */
|
||||
- for (p = daemon->packet, i = 0; i < data.clid_len; i++)
|
||||
+ /* CLID into packet: limit to 100 bytes to avoid overflowing buffer. */
|
||||
+ for (p = daemon->packet, i = 0; i < data.clid_len && i < 100; i++)
|
||||
{
|
||||
p += sprintf(p, "%.2x", buf[i]);
|
||||
if (i != data.clid_len - 1)
|
||||
--
|
||||
2.54.0
|
||||
|
||||
@ -52,6 +52,7 @@ Patch4: dnsmasq-CVE-2026-2291.patch
|
||||
Patch5: dnsmasq-2.93-CVE-2026-2291.patch
|
||||
Patch6: dnsmasq-2.93-CVE-2026-4890.patch
|
||||
Patch7: dnsmasq-2.93-CVE-2026-4891.patch
|
||||
Patch8: dnsmasq-2.93-CVE-2026-4892.patch
|
||||
|
||||
|
||||
Requires: nettle
|
||||
@ -230,6 +231,7 @@ install -Dpm 644 %{SOURCE5} %{buildroot}%{_tmpfilesdir}/%{name}.conf
|
||||
- Prevent overflow in extract_name function (CVE-2026-2291)
|
||||
- Prevent DoS in DNSSEC validation (CVE-2026-4890)
|
||||
- Prevent out-of-bounds read in DNSSEC validation (CVE-2026-4891)
|
||||
- Prevent out-of-bounds write in DHCPv6 server (CVE-2026-4892)
|
||||
|
||||
* Wed Mar 18 2026 Petr Menšík <pemensik@redhat.com> - 2.90-6
|
||||
- Prevent heap buffer overflow in cache via NAME_ESCAPE expansion
|
||||
|
||||
Loading…
Reference in New Issue
Block a user