Security fix, CVE-2017-14491 DNS heap buffer overflow.
Fix heap overflow in DNS code. This is a potentially serious security hole. It allows an attacker who can make DNS requests to dnsmasq, and who controls the contents of a domain, which is thereby queried, to overflow (by 2 bytes) a heap buffer and either crash, or even take control of, dnsmasq. Signed-off-by: Petr Menšík <pemensik@redhat.com>
This commit is contained in:
parent
9d2935df23
commit
bd80bf435e
263
dnsmasq-2.77-CVE-2017-14491.patch
Normal file
263
dnsmasq-2.77-CVE-2017-14491.patch
Normal file
@ -0,0 +1,263 @@
|
||||
From 445282d13b90712ef90d2c2141d0e19bb1d896d2 Mon Sep 17 00:00:00 2001
|
||||
From: Simon Kelley <simon@thekelleys.org.uk>
|
||||
Date: Mon, 25 Sep 2017 18:17:11 +0100
|
||||
Subject: [PATCH] Security fix, CVE-2017-14491 DNS heap buffer overflow.
|
||||
|
||||
Fix heap overflow in DNS code. This is a potentially serious
|
||||
security hole. It allows an attacker who can make DNS
|
||||
requests to dnsmasq, and who controls the contents of
|
||||
a domain, which is thereby queried, to overflow
|
||||
(by 2 bytes) a heap buffer and either crash, or
|
||||
even take control of, dnsmasq.
|
||||
|
||||
(original commit 0549c73b7ea6b22a3c49beb4d432f185a81efcbc)
|
||||
---
|
||||
src/dnsmasq.h | 2 +-
|
||||
src/dnssec.c | 2 +-
|
||||
src/option.c | 2 +-
|
||||
src/rfc1035.c | 50 +++++++++++++++++++++++++++++++++++++++++---------
|
||||
src/rfc2131.c | 4 ++--
|
||||
src/rfc3315.c | 4 ++--
|
||||
src/util.c | 7 ++++++-
|
||||
7 files changed, 54 insertions(+), 17 deletions(-)
|
||||
|
||||
diff --git a/src/dnsmasq.h b/src/dnsmasq.h
|
||||
index 06fae35..7a18898 100644
|
||||
--- a/src/dnsmasq.h
|
||||
+++ b/src/dnsmasq.h
|
||||
@@ -1179,7 +1179,7 @@ u32 rand32(void);
|
||||
u64 rand64(void);
|
||||
int legal_hostname(char *c);
|
||||
char *canonicalise(char *s, int *nomem);
|
||||
-unsigned char *do_rfc1035_name(unsigned char *p, char *sval);
|
||||
+unsigned char *do_rfc1035_name(unsigned char *p, char *sval, char *limit);
|
||||
void *safe_malloc(size_t size);
|
||||
void safe_pipe(int *fd, int read_noblock);
|
||||
void *whine_malloc(size_t size);
|
||||
diff --git a/src/dnssec.c b/src/dnssec.c
|
||||
index 3330eef..b6cb55f 100644
|
||||
--- a/src/dnssec.c
|
||||
+++ b/src/dnssec.c
|
||||
@@ -2230,7 +2230,7 @@ size_t dnssec_generate_query(struct dns_header *header, unsigned char *end, char
|
||||
|
||||
p = (unsigned char *)(header+1);
|
||||
|
||||
- p = do_rfc1035_name(p, name);
|
||||
+ p = do_rfc1035_name(p, name, NULL);
|
||||
*p++ = 0;
|
||||
PUTSHORT(type, p);
|
||||
PUTSHORT(class, p);
|
||||
diff --git a/src/option.c b/src/option.c
|
||||
index 064ef62..22bd19a 100644
|
||||
--- a/src/option.c
|
||||
+++ b/src/option.c
|
||||
@@ -1415,7 +1415,7 @@ static int parse_dhcp_opt(char *errstr, char *arg, int flags)
|
||||
}
|
||||
|
||||
p = newp;
|
||||
- end = do_rfc1035_name(p + len, dom);
|
||||
+ end = do_rfc1035_name(p + len, dom, NULL);
|
||||
*end++ = 0;
|
||||
len = end - p;
|
||||
free(dom);
|
||||
diff --git a/src/rfc1035.c b/src/rfc1035.c
|
||||
index 1671883..3397a26 100644
|
||||
--- a/src/rfc1035.c
|
||||
+++ b/src/rfc1035.c
|
||||
@@ -1062,6 +1062,7 @@ int check_for_ignored_address(struct dns_header *header, size_t qlen, struct bog
|
||||
return 0;
|
||||
}
|
||||
|
||||
+
|
||||
int add_resource_record(struct dns_header *header, char *limit, int *truncp, int nameoffset, unsigned char **pp,
|
||||
unsigned long ttl, int *offset, unsigned short type, unsigned short class, char *format, ...)
|
||||
{
|
||||
@@ -1071,12 +1072,21 @@ int add_resource_record(struct dns_header *header, char *limit, int *truncp, int
|
||||
unsigned short usval;
|
||||
long lval;
|
||||
char *sval;
|
||||
+#define CHECK_LIMIT(size) \
|
||||
+ if (limit && p + (size) > (unsigned char*)limit) \
|
||||
+ { \
|
||||
+ va_end(ap); \
|
||||
+ goto truncated; \
|
||||
+ }
|
||||
|
||||
if (truncp && *truncp)
|
||||
return 0;
|
||||
-
|
||||
+
|
||||
va_start(ap, format); /* make ap point to 1st unamed argument */
|
||||
-
|
||||
+
|
||||
+ /* nameoffset (1 or 2) + type (2) + class (2) + ttl (4) + 0 (2) */
|
||||
+ CHECK_LIMIT(12);
|
||||
+
|
||||
if (nameoffset > 0)
|
||||
{
|
||||
PUTSHORT(nameoffset | 0xc000, p);
|
||||
@@ -1085,7 +1095,13 @@ int add_resource_record(struct dns_header *header, char *limit, int *truncp, int
|
||||
{
|
||||
char *name = va_arg(ap, char *);
|
||||
if (name)
|
||||
- p = do_rfc1035_name(p, name);
|
||||
+ p = do_rfc1035_name(p, name, limit);
|
||||
+ if (!p)
|
||||
+ {
|
||||
+ va_end(ap);
|
||||
+ goto truncated;
|
||||
+ }
|
||||
+
|
||||
if (nameoffset < 0)
|
||||
{
|
||||
PUTSHORT(-nameoffset | 0xc000, p);
|
||||
@@ -1106,6 +1122,7 @@ int add_resource_record(struct dns_header *header, char *limit, int *truncp, int
|
||||
{
|
||||
#ifdef HAVE_IPV6
|
||||
case '6':
|
||||
+ CHECK_LIMIT(IN6ADDRSZ);
|
||||
sval = va_arg(ap, char *);
|
||||
memcpy(p, sval, IN6ADDRSZ);
|
||||
p += IN6ADDRSZ;
|
||||
@@ -1113,36 +1130,47 @@ int add_resource_record(struct dns_header *header, char *limit, int *truncp, int
|
||||
#endif
|
||||
|
||||
case '4':
|
||||
+ CHECK_LIMIT(INADDRSZ);
|
||||
sval = va_arg(ap, char *);
|
||||
memcpy(p, sval, INADDRSZ);
|
||||
p += INADDRSZ;
|
||||
break;
|
||||
|
||||
case 'b':
|
||||
+ CHECK_LIMIT(1);
|
||||
usval = va_arg(ap, int);
|
||||
*p++ = usval;
|
||||
break;
|
||||
|
||||
case 's':
|
||||
+ CHECK_LIMIT(2);
|
||||
usval = va_arg(ap, int);
|
||||
PUTSHORT(usval, p);
|
||||
break;
|
||||
|
||||
case 'l':
|
||||
+ CHECK_LIMIT(4);
|
||||
lval = va_arg(ap, long);
|
||||
PUTLONG(lval, p);
|
||||
break;
|
||||
|
||||
case 'd':
|
||||
- /* get domain-name answer arg and store it in RDATA field */
|
||||
- if (offset)
|
||||
- *offset = p - (unsigned char *)header;
|
||||
- p = do_rfc1035_name(p, va_arg(ap, char *));
|
||||
- *p++ = 0;
|
||||
+ /* get domain-name answer arg and store it in RDATA field */
|
||||
+ if (offset)
|
||||
+ *offset = p - (unsigned char *)header;
|
||||
+ p = do_rfc1035_name(p, va_arg(ap, char *), limit);
|
||||
+ if (!p)
|
||||
+ {
|
||||
+ va_end(ap);
|
||||
+ goto truncated;
|
||||
+ }
|
||||
+ CHECK_LIMIT(1);
|
||||
+ *p++ = 0;
|
||||
break;
|
||||
|
||||
case 't':
|
||||
usval = va_arg(ap, int);
|
||||
+ CHECK_LIMIT(usval);
|
||||
sval = va_arg(ap, char *);
|
||||
if (usval != 0)
|
||||
memcpy(p, sval, usval);
|
||||
@@ -1154,20 +1182,24 @@ int add_resource_record(struct dns_header *header, char *limit, int *truncp, int
|
||||
usval = sval ? strlen(sval) : 0;
|
||||
if (usval > 255)
|
||||
usval = 255;
|
||||
+ CHECK_LIMIT(usval + 1);
|
||||
*p++ = (unsigned char)usval;
|
||||
memcpy(p, sval, usval);
|
||||
p += usval;
|
||||
break;
|
||||
}
|
||||
|
||||
+#undef CHECK_LIMIT
|
||||
va_end(ap); /* clean up variable argument pointer */
|
||||
|
||||
j = p - sav - 2;
|
||||
- PUTSHORT(j, sav); /* Now, store real RDLength */
|
||||
+ /* this has already been checked against limit before */
|
||||
+ PUTSHORT(j, sav); /* Now, store real RDLength */
|
||||
|
||||
/* check for overflow of buffer */
|
||||
if (limit && ((unsigned char *)limit - p) < 0)
|
||||
{
|
||||
+truncated:
|
||||
if (truncp)
|
||||
*truncp = 1;
|
||||
return 0;
|
||||
diff --git a/src/rfc2131.c b/src/rfc2131.c
|
||||
index a679470..052498c 100644
|
||||
--- a/src/rfc2131.c
|
||||
+++ b/src/rfc2131.c
|
||||
@@ -2454,10 +2454,10 @@ static void do_options(struct dhcp_context *context,
|
||||
|
||||
if (fqdn_flags & 0x04)
|
||||
{
|
||||
- p = do_rfc1035_name(p, hostname);
|
||||
+ p = do_rfc1035_name(p, hostname, NULL);
|
||||
if (domain)
|
||||
{
|
||||
- p = do_rfc1035_name(p, domain);
|
||||
+ p = do_rfc1035_name(p, domain, NULL);
|
||||
*p++ = 0;
|
||||
}
|
||||
}
|
||||
diff --git a/src/rfc3315.c b/src/rfc3315.c
|
||||
index 054ecd0..715b6db 100644
|
||||
--- a/src/rfc3315.c
|
||||
+++ b/src/rfc3315.c
|
||||
@@ -1479,10 +1479,10 @@ static struct dhcp_netid *add_options(struct state *state, int do_refresh)
|
||||
if ((p = expand(len + 2)))
|
||||
{
|
||||
*(p++) = state->fqdn_flags;
|
||||
- p = do_rfc1035_name(p, state->hostname);
|
||||
+ p = do_rfc1035_name(p, state->hostname, NULL);
|
||||
if (state->send_domain)
|
||||
{
|
||||
- p = do_rfc1035_name(p, state->send_domain);
|
||||
+ p = do_rfc1035_name(p, state->send_domain, NULL);
|
||||
*p = 0;
|
||||
}
|
||||
}
|
||||
diff --git a/src/util.c b/src/util.c
|
||||
index 145e53a..471faa9 100644
|
||||
--- a/src/util.c
|
||||
+++ b/src/util.c
|
||||
@@ -227,15 +227,20 @@ char *canonicalise(char *in, int *nomem)
|
||||
return ret;
|
||||
}
|
||||
|
||||
-unsigned char *do_rfc1035_name(unsigned char *p, char *sval)
|
||||
+unsigned char *do_rfc1035_name(unsigned char *p, char *sval, char *limit)
|
||||
{
|
||||
int j;
|
||||
|
||||
while (sval && *sval)
|
||||
{
|
||||
+ if (limit && p + 1 > (unsigned char*)limit)
|
||||
+ return p;
|
||||
+
|
||||
unsigned char *cp = p++;
|
||||
for (j = 0; *sval && (*sval != '.'); sval++, j++)
|
||||
{
|
||||
+ if (limit && p + 1 > (unsigned char*)limit)
|
||||
+ return p;
|
||||
#ifdef HAVE_DNSSEC
|
||||
if (option_bool(OPT_DNSSEC_VALID) && *sval == NAME_ESCAPE)
|
||||
*p++ = (*(++sval))-1;
|
||||
--
|
||||
2.9.5
|
||||
|
@ -13,7 +13,7 @@
|
||||
|
||||
Name: dnsmasq
|
||||
Version: 2.77
|
||||
Release: 7%{?extraversion:.%{extraversion}}%{?dist}
|
||||
Release: 8%{?extraversion:.%{extraversion}}%{?dist}
|
||||
Summary: A lightweight DHCP/caching DNS server
|
||||
|
||||
Group: System Environment/Daemons
|
||||
@ -23,6 +23,7 @@ Source0: http://www.thekelleys.org.uk/dnsmasq/%{?extrapath}%{name}-%{vers
|
||||
Source1: %{name}.service
|
||||
|
||||
Patch1: dnsmasq-2.77-CVE-2017-13704.patch
|
||||
Patch2: dnsmasq-2.77-CVE-2017-14491.patch
|
||||
|
||||
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
|
||||
|
||||
@ -58,6 +59,7 @@ query/remove a DHCP server's leases.
|
||||
%prep
|
||||
%setup -q -n %{name}-%{version}%{?extraversion}
|
||||
%patch1 -p1 -b .CVE-2017-13704
|
||||
%patch2 -p1 -b .CVE-2017-14491
|
||||
|
||||
# use /var/lib/dnsmasq instead of /var/lib/misc
|
||||
for file in dnsmasq.conf.example man/dnsmasq.8 man/es/dnsmasq.8 src/config.h; do
|
||||
@ -144,6 +146,9 @@ rm -rf $RPM_BUILD_ROOT
|
||||
%{_mandir}/man1/dhcp_*
|
||||
|
||||
%changelog
|
||||
* Mon Oct 02 2017 Petr Menšík <pemensik@redhat.com> - 2.77-8
|
||||
- Security fix, CVE-2017-14491 DNS heap buffer overflow
|
||||
|
||||
* Thu Sep 14 2017 Petr Menšík <pemensik@redhat.com> - 2.77-7
|
||||
- Fix CVE-2017-13704
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user