Security fix, CVE-2017-14491, DNS heap buffer overflow.
Further fix to 0549c73b7ea6b22a3c49beb4d432f185a81efcbc Handles case when RR name is not a pointer to the question, only occurs for some auth-mode replies, therefore not detected by fuzzing (?) Signed-off-by: Petr Menšík <pemensik@redhat.com>
This commit is contained in:
parent
dfac991c15
commit
6379c5b2d4
68
dnsmasq-2.77-CVE-2017-14491-2.patch
Normal file
68
dnsmasq-2.77-CVE-2017-14491-2.patch
Normal file
@ -0,0 +1,68 @@
|
|||||||
|
From 62cb936cb7ad5f219715515ae7d32dd281a5aa1f Mon Sep 17 00:00:00 2001
|
||||||
|
From: Simon Kelley <simon@thekelleys.org.uk>
|
||||||
|
Date: Tue, 26 Sep 2017 22:00:11 +0100
|
||||||
|
Subject: [PATCH 10/10] Security fix, CVE-2017-14491, DNS heap buffer overflow.
|
||||||
|
|
||||||
|
Further fix to 0549c73b7ea6b22a3c49beb4d432f185a81efcbc
|
||||||
|
Handles case when RR name is not a pointer to the question,
|
||||||
|
only occurs for some auth-mode replies, therefore not
|
||||||
|
detected by fuzzing (?)
|
||||||
|
---
|
||||||
|
src/rfc1035.c | 27 +++++++++++++++------------
|
||||||
|
1 file changed, 15 insertions(+), 12 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/src/rfc1035.c b/src/rfc1035.c
|
||||||
|
index 27af023..56ab88b 100644
|
||||||
|
--- a/src/rfc1035.c
|
||||||
|
+++ b/src/rfc1035.c
|
||||||
|
@@ -1086,32 +1086,35 @@ int add_resource_record(struct dns_header *header, char *limit, int *truncp, int
|
||||||
|
|
||||||
|
va_start(ap, format); /* make ap point to 1st unamed argument */
|
||||||
|
|
||||||
|
- /* nameoffset (1 or 2) + type (2) + class (2) + ttl (4) + 0 (2) */
|
||||||
|
- CHECK_LIMIT(12);
|
||||||
|
-
|
||||||
|
if (nameoffset > 0)
|
||||||
|
{
|
||||||
|
+ CHECK_LIMIT(2);
|
||||||
|
PUTSHORT(nameoffset | 0xc000, p);
|
||||||
|
}
|
||||||
|
else
|
||||||
|
{
|
||||||
|
char *name = va_arg(ap, char *);
|
||||||
|
- if (name)
|
||||||
|
- p = do_rfc1035_name(p, name, limit);
|
||||||
|
- if (!p)
|
||||||
|
- {
|
||||||
|
- va_end(ap);
|
||||||
|
- goto truncated;
|
||||||
|
- }
|
||||||
|
-
|
||||||
|
+ if (name && !(p = do_rfc1035_name(p, name, limit)))
|
||||||
|
+ {
|
||||||
|
+ va_end(ap);
|
||||||
|
+ goto truncated;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
if (nameoffset < 0)
|
||||||
|
{
|
||||||
|
+ CHECK_LIMIT(2);
|
||||||
|
PUTSHORT(-nameoffset | 0xc000, p);
|
||||||
|
}
|
||||||
|
else
|
||||||
|
- *p++ = 0;
|
||||||
|
+ {
|
||||||
|
+ CHECK_LIMIT(1);
|
||||||
|
+ *p++ = 0;
|
||||||
|
+ }
|
||||||
|
}
|
||||||
|
|
||||||
|
+ /* type (2) + class (2) + ttl (4) + rdlen (2) */
|
||||||
|
+ CHECK_LIMIT(10);
|
||||||
|
+
|
||||||
|
PUTSHORT(type, p);
|
||||||
|
PUTSHORT(class, p);
|
||||||
|
PUTLONG(ttl, p); /* TTL */
|
||||||
|
--
|
||||||
|
2.9.5
|
||||||
|
|
@ -30,6 +30,7 @@ Patch5: dnsmasq-2.77-CVE-2017-14494.patch
|
|||||||
Patch6: dnsmasq-2.77-CVE-2017-14496.patch
|
Patch6: dnsmasq-2.77-CVE-2017-14496.patch
|
||||||
Patch7: dnsmasq-2.77-CVE-2017-14495.patch
|
Patch7: dnsmasq-2.77-CVE-2017-14495.patch
|
||||||
Patch8: dnsmasq-2.77-misc-cleanups.patch
|
Patch8: dnsmasq-2.77-misc-cleanups.patch
|
||||||
|
Patch9: dnsmasq-2.77-CVE-2017-14491-2.patch
|
||||||
|
|
||||||
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
|
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
|
||||||
|
|
||||||
@ -72,6 +73,7 @@ query/remove a DHCP server's leases.
|
|||||||
%patch6 -p1 -b .CVE-2017-14496
|
%patch6 -p1 -b .CVE-2017-14496
|
||||||
%patch7 -p1 -b .CVE-2017-14495
|
%patch7 -p1 -b .CVE-2017-14495
|
||||||
%patch8 -p1 -b .misc-cleanups
|
%patch8 -p1 -b .misc-cleanups
|
||||||
|
%patch9 -p1 -b .CVE-2017-14491-2
|
||||||
|
|
||||||
# use /var/lib/dnsmasq instead of /var/lib/misc
|
# use /var/lib/dnsmasq instead of /var/lib/misc
|
||||||
for file in dnsmasq.conf.example man/dnsmasq.8 man/es/dnsmasq.8 src/config.h; do
|
for file in dnsmasq.conf.example man/dnsmasq.8 man/es/dnsmasq.8 src/config.h; do
|
||||||
|
Loading…
Reference in New Issue
Block a user