rpms/dnsmasq
7
0
Fork 0
Code Issues Pull Requests Releases Activity

- Fix multiple TFTP server vulnerabilities (CVE-2009-2957, CVE-2009-2958)

Browse Source
This commit is contained in:
Mark McLoughlin 2009-10-05 10:26:35 +00:00
parent 27df76d8d5
commit 8b0560dcd4
2 changed files with 75 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

69
dnsmasq-2.48-tftp-server-vulnerabilities.patch Normal file
View File

@ -0,0 +1,69 @@
diff -up dnsmasq-2.48/src/tftp.c.tftp-server-vulnerabilities dnsmasq-2.48/src/tftp.c
--- dnsmasq-2.48/src/tftp.c.tftp-server-vulnerabilities 2009-10-05 11:15:10.104555320 +0100
+++ dnsmasq-2.48/src/tftp.c 2009-10-05 11:15:12.104564277 +0100
@@ -192,20 +192,21 @@ void tftp_request(struct listener *liste
while ((opt = next(&p, end)))
{
- if (strcasecmp(opt, "blksize") == 0 &&
- (opt = next(&p, end)) &&
- !(daemon->options & OPT_TFTP_NOBLOCK))
+ if (strcasecmp(opt, "blksize") == 0)
{
- transfer->blocksize = atoi(opt);
- if (transfer->blocksize < 1)
- transfer->blocksize = 1;
- if (transfer->blocksize > (unsigned)daemon->packet_buff_sz - 4)
- transfer->blocksize = (unsigned)daemon->packet_buff_sz - 4;
- transfer->opt_blocksize = 1;
- transfer->block = 0;
+ if ((opt = next(&p, end)) &&
+ !(daemon->options & OPT_TFTP_NOBLOCK))
+ {
+ transfer->blocksize = atoi(opt);
+ if (transfer->blocksize < 1)
+ transfer->blocksize = 1;
+ if (transfer->blocksize > (unsigned)daemon->packet_buff_sz - 4)
+ transfer->blocksize = (unsigned)daemon->packet_buff_sz - 4;
+ transfer->opt_blocksize = 1;
+ transfer->block = 0;
+ }
}
-
- if (strcasecmp(opt, "tsize") == 0 && next(&p, end) && !transfer->netascii)
+ else if (strcasecmp(opt, "tsize") == 0 && next(&p, end) && !transfer->netascii)
{
transfer->opt_transize = 1;
transfer->block = 0;
@@ -217,17 +218,17 @@ void tftp_request(struct listener *liste
{
if (daemon->tftp_prefix[0] == '/')
daemon->namebuff[0] = 0;
- strncat(daemon->namebuff, daemon->tftp_prefix, MAXDNAME);
+ strncat(daemon->namebuff, daemon->tftp_prefix, (MAXDNAME-1) - strlen(daemon->namebuff));
if (daemon->tftp_prefix[strlen(daemon->tftp_prefix)-1] != '/')
- strncat(daemon->namebuff, "/", MAXDNAME);
+ strncat(daemon->namebuff, "/", (MAXDNAME-1) - strlen(daemon->namebuff));
if (daemon->options & OPT_TFTP_APREF)
{
size_t oldlen = strlen(daemon->namebuff);
struct stat statbuf;
- strncat(daemon->namebuff, inet_ntoa(peer.sin_addr), MAXDNAME);
- strncat(daemon->namebuff, "/", MAXDNAME);
+ strncat(daemon->namebuff, inet_ntoa(peer.sin_addr), (MAXDNAME-1) - strlen(daemon->namebuff));
+ strncat(daemon->namebuff, "/", (MAXDNAME-1) - strlen(daemon->namebuff));
/* remove unique-directory if it doesn't exist */
if (stat(daemon->namebuff, &statbuf) == -1 || !S_ISDIR(statbuf.st_mode))
@@ -245,8 +246,7 @@ void tftp_request(struct listener *liste
}
else if (filename[0] == '/')
daemon->namebuff[0] = 0;
- strncat(daemon->namebuff, filename, MAXDNAME);
- daemon->namebuff[MAXDNAME-1] = 0;
+ strncat(daemon->namebuff, filename, (MAXDNAME-1) - strlen(daemon->namebuff));
/* check permissions and open file */
if ((transfer->file = check_tftp_fileperm(&len)))

7
dnsmasq.spec
View File

@ -11,7 +11,7 @@
Name: dnsmasq
Version: 2.48
Release: 3%{?extraversion}%{?dist}
Release: 4%{?extraversion}%{?dist}
Summary: A lightweight DHCP/caching DNS server
Group: System Environment/Daemons
@ -20,6 +20,7 @@ URL: http://www.thekelleys.org.uk/dnsmasq/
Source0: http://www.thekelleys.org.uk/dnsmasq/%{?extrapath}%{name}-%{version}%{?extraversion}.tar.lzma
Patch0: %{name}-2.33-initscript.patch
Patch1: %{name}-configuration.patch
Patch2: %{name}-2.48-tftp-server-vulnerabilities.patch
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
BuildRequires: dbus-devel
@ -46,6 +47,7 @@ machines.
%setup -q -n %{name}-%{version}%{?extraversion}
%patch0 -p1
%patch1 -p1
%patch2 -p1
%build
make %{?_smp_mflags}
@ -109,6 +111,9 @@ fi
%changelog
* Mon Oct 5 2009 Mark McLoughlin <markmc@redhat.com> - 2.48-4
- Fix multiple TFTP server vulnerabilities (CVE-2009-2957, CVE-2009-2958)
* Wed Aug 12 2009 Ville Skyttä <ville.skytta@iki.fi> - 2.48-3
- Use lzma compressed upstream tarball.