Prevent overflow in extract_name function (CVE-2026-2291)

Handle invalid names correctly and refuse them without writing into too
small buffer. Contains upstream proposed basic fix.

Resolves-Vulnerability: CVE-2026-2291
Resolves: RHEL-181041
This commit is contained in:
Petr Menšík 2026-05-05 17:26:18 +02:00
parent 9b84838ba3
commit 9786bf4aec
2 changed files with 41 additions and 1 deletions

View File

@ -0,0 +1,36 @@
From b8544d5802e56186eb144fbcdd18070b01dc9ab0 Mon Sep 17 00:00:00 2001
From: Simon Kelley <simon@thekelleys.org.uk>
Date: Fri, 10 Apr 2026 16:29:31 +0100
Subject: [PATCH 1/5] Fix buffer overflow in struct bigname. CVE-2026-2291
All buffers capable of holding a domain name should be
at least MAXDNAME*2 + 1 bytes long, where MAXDNAME is the maximum
size of a domain name. The accounts for the trailing zero and the
fact that some characters are escaped in the internal representation
of a domain name in dnsmasq.
The declaration of struct bigname get this wrong, with the effect
that a remote attacker capable of asking DNS queries or answering DNS
queries can cause a large OOB write in the heap.
This was first spotted by Andrew S. Fasano.
---
src/dnsmasq.h | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/dnsmasq.h b/src/dnsmasq.h
index e455c3f..be8cf2a 100644
--- a/src/dnsmasq.h
+++ b/src/dnsmasq.h
@@ -467,7 +467,7 @@ struct interface_name {
};
union bigname {
- char name[MAXDNAME];
+ char name[(2*MAXDNAME) + 1];
union bigname *next; /* freelist */
};
--
2.54.0

View File

@ -23,7 +23,7 @@
Name: dnsmasq
Version: 2.90
Release: 6%{?extraversion:.%{extraversion}}%{?dist}
Release: 7%{?extraversion:.%{extraversion}}%{?dist}
Summary: A lightweight DHCP/caching DNS server
# SPDX identifiers already
@ -49,6 +49,7 @@ Patch2: dnsmasq-2.81-configuration.patch
Patch3: dnsmasq-2.78-fips.patch
# https://bugzilla.redhat.com/show_bug.cgi?id=2439088
Patch4: dnsmasq-CVE-2026-2291.patch
Patch5: dnsmasq-2.93-CVE-2026-2291.patch
Requires: nettle
@ -223,6 +224,9 @@ install -Dpm 644 %{SOURCE5} %{buildroot}%{_tmpfilesdir}/%{name}.conf
%endif
%changelog
* Tue May 05 2026 Petr Menšík <pemensik@redhat.com> - 2.90-7
- Prevent overflow in extract_name function (CVE-2026-2291)
* Wed Mar 18 2026 Petr Menšík <pemensik@redhat.com> - 2.90-6
- Prevent heap buffer overflow in cache via NAME_ESCAPE expansion
(CVE-2026-2291)