From bd80bf435e3f0d057c3814e934a7685457cbd1cc Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= Date: Tue, 26 Sep 2017 17:42:03 +0200 Subject: [PATCH] Security fix, CVE-2017-14491 DNS heap buffer overflow. MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Fix heap overflow in DNS code. This is a potentially serious security hole. It allows an attacker who can make DNS requests to dnsmasq, and who controls the contents of a domain, which is thereby queried, to overflow (by 2 bytes) a heap buffer and either crash, or even take control of, dnsmasq. Signed-off-by: Petr Menšík --- dnsmasq-2.77-CVE-2017-14491.patch | 263 ++++++++++++++++++++++++++++++ dnsmasq.spec | 7 +- 2 files changed, 269 insertions(+), 1 deletion(-) create mode 100644 dnsmasq-2.77-CVE-2017-14491.patch diff --git a/dnsmasq-2.77-CVE-2017-14491.patch b/dnsmasq-2.77-CVE-2017-14491.patch new file mode 100644 index 0000000..9b62e90 --- /dev/null +++ b/dnsmasq-2.77-CVE-2017-14491.patch @@ -0,0 +1,263 @@ +From 445282d13b90712ef90d2c2141d0e19bb1d896d2 Mon Sep 17 00:00:00 2001 +From: Simon Kelley +Date: Mon, 25 Sep 2017 18:17:11 +0100 +Subject: [PATCH] Security fix, CVE-2017-14491 DNS heap buffer overflow. + +Fix heap overflow in DNS code. This is a potentially serious +security hole. It allows an attacker who can make DNS +requests to dnsmasq, and who controls the contents of +a domain, which is thereby queried, to overflow +(by 2 bytes) a heap buffer and either crash, or +even take control of, dnsmasq. + +(original commit 0549c73b7ea6b22a3c49beb4d432f185a81efcbc) +--- + src/dnsmasq.h | 2 +- + src/dnssec.c | 2 +- + src/option.c | 2 +- + src/rfc1035.c | 50 +++++++++++++++++++++++++++++++++++++++++--------- + src/rfc2131.c | 4 ++-- + src/rfc3315.c | 4 ++-- + src/util.c | 7 ++++++- + 7 files changed, 54 insertions(+), 17 deletions(-) + +diff --git a/src/dnsmasq.h b/src/dnsmasq.h +index 06fae35..7a18898 100644 +--- a/src/dnsmasq.h ++++ b/src/dnsmasq.h +@@ -1179,7 +1179,7 @@ u32 rand32(void); + u64 rand64(void); + int legal_hostname(char *c); + char *canonicalise(char *s, int *nomem); +-unsigned char *do_rfc1035_name(unsigned char *p, char *sval); ++unsigned char *do_rfc1035_name(unsigned char *p, char *sval, char *limit); + void *safe_malloc(size_t size); + void safe_pipe(int *fd, int read_noblock); + void *whine_malloc(size_t size); +diff --git a/src/dnssec.c b/src/dnssec.c +index 3330eef..b6cb55f 100644 +--- a/src/dnssec.c ++++ b/src/dnssec.c +@@ -2230,7 +2230,7 @@ size_t dnssec_generate_query(struct dns_header *header, unsigned char *end, char + + p = (unsigned char *)(header+1); + +- p = do_rfc1035_name(p, name); ++ p = do_rfc1035_name(p, name, NULL); + *p++ = 0; + PUTSHORT(type, p); + PUTSHORT(class, p); +diff --git a/src/option.c b/src/option.c +index 064ef62..22bd19a 100644 +--- a/src/option.c ++++ b/src/option.c +@@ -1415,7 +1415,7 @@ static int parse_dhcp_opt(char *errstr, char *arg, int flags) + } + + p = newp; +- end = do_rfc1035_name(p + len, dom); ++ end = do_rfc1035_name(p + len, dom, NULL); + *end++ = 0; + len = end - p; + free(dom); +diff --git a/src/rfc1035.c b/src/rfc1035.c +index 1671883..3397a26 100644 +--- a/src/rfc1035.c ++++ b/src/rfc1035.c +@@ -1062,6 +1062,7 @@ int check_for_ignored_address(struct dns_header *header, size_t qlen, struct bog + return 0; + } + ++ + int add_resource_record(struct dns_header *header, char *limit, int *truncp, int nameoffset, unsigned char **pp, + unsigned long ttl, int *offset, unsigned short type, unsigned short class, char *format, ...) + { +@@ -1071,12 +1072,21 @@ int add_resource_record(struct dns_header *header, char *limit, int *truncp, int + unsigned short usval; + long lval; + char *sval; ++#define CHECK_LIMIT(size) \ ++ if (limit && p + (size) > (unsigned char*)limit) \ ++ { \ ++ va_end(ap); \ ++ goto truncated; \ ++ } + + if (truncp && *truncp) + return 0; +- ++ + va_start(ap, format); /* make ap point to 1st unamed argument */ +- ++ ++ /* nameoffset (1 or 2) + type (2) + class (2) + ttl (4) + 0 (2) */ ++ CHECK_LIMIT(12); ++ + if (nameoffset > 0) + { + PUTSHORT(nameoffset | 0xc000, p); +@@ -1085,7 +1095,13 @@ int add_resource_record(struct dns_header *header, char *limit, int *truncp, int + { + char *name = va_arg(ap, char *); + if (name) +- p = do_rfc1035_name(p, name); ++ p = do_rfc1035_name(p, name, limit); ++ if (!p) ++ { ++ va_end(ap); ++ goto truncated; ++ } ++ + if (nameoffset < 0) + { + PUTSHORT(-nameoffset | 0xc000, p); +@@ -1106,6 +1122,7 @@ int add_resource_record(struct dns_header *header, char *limit, int *truncp, int + { + #ifdef HAVE_IPV6 + case '6': ++ CHECK_LIMIT(IN6ADDRSZ); + sval = va_arg(ap, char *); + memcpy(p, sval, IN6ADDRSZ); + p += IN6ADDRSZ; +@@ -1113,36 +1130,47 @@ int add_resource_record(struct dns_header *header, char *limit, int *truncp, int + #endif + + case '4': ++ CHECK_LIMIT(INADDRSZ); + sval = va_arg(ap, char *); + memcpy(p, sval, INADDRSZ); + p += INADDRSZ; + break; + + case 'b': ++ CHECK_LIMIT(1); + usval = va_arg(ap, int); + *p++ = usval; + break; + + case 's': ++ CHECK_LIMIT(2); + usval = va_arg(ap, int); + PUTSHORT(usval, p); + break; + + case 'l': ++ CHECK_LIMIT(4); + lval = va_arg(ap, long); + PUTLONG(lval, p); + break; + + case 'd': +- /* get domain-name answer arg and store it in RDATA field */ +- if (offset) +- *offset = p - (unsigned char *)header; +- p = do_rfc1035_name(p, va_arg(ap, char *)); +- *p++ = 0; ++ /* get domain-name answer arg and store it in RDATA field */ ++ if (offset) ++ *offset = p - (unsigned char *)header; ++ p = do_rfc1035_name(p, va_arg(ap, char *), limit); ++ if (!p) ++ { ++ va_end(ap); ++ goto truncated; ++ } ++ CHECK_LIMIT(1); ++ *p++ = 0; + break; + + case 't': + usval = va_arg(ap, int); ++ CHECK_LIMIT(usval); + sval = va_arg(ap, char *); + if (usval != 0) + memcpy(p, sval, usval); +@@ -1154,20 +1182,24 @@ int add_resource_record(struct dns_header *header, char *limit, int *truncp, int + usval = sval ? strlen(sval) : 0; + if (usval > 255) + usval = 255; ++ CHECK_LIMIT(usval + 1); + *p++ = (unsigned char)usval; + memcpy(p, sval, usval); + p += usval; + break; + } + ++#undef CHECK_LIMIT + va_end(ap); /* clean up variable argument pointer */ + + j = p - sav - 2; +- PUTSHORT(j, sav); /* Now, store real RDLength */ ++ /* this has already been checked against limit before */ ++ PUTSHORT(j, sav); /* Now, store real RDLength */ + + /* check for overflow of buffer */ + if (limit && ((unsigned char *)limit - p) < 0) + { ++truncated: + if (truncp) + *truncp = 1; + return 0; +diff --git a/src/rfc2131.c b/src/rfc2131.c +index a679470..052498c 100644 +--- a/src/rfc2131.c ++++ b/src/rfc2131.c +@@ -2454,10 +2454,10 @@ static void do_options(struct dhcp_context *context, + + if (fqdn_flags & 0x04) + { +- p = do_rfc1035_name(p, hostname); ++ p = do_rfc1035_name(p, hostname, NULL); + if (domain) + { +- p = do_rfc1035_name(p, domain); ++ p = do_rfc1035_name(p, domain, NULL); + *p++ = 0; + } + } +diff --git a/src/rfc3315.c b/src/rfc3315.c +index 054ecd0..715b6db 100644 +--- a/src/rfc3315.c ++++ b/src/rfc3315.c +@@ -1479,10 +1479,10 @@ static struct dhcp_netid *add_options(struct state *state, int do_refresh) + if ((p = expand(len + 2))) + { + *(p++) = state->fqdn_flags; +- p = do_rfc1035_name(p, state->hostname); ++ p = do_rfc1035_name(p, state->hostname, NULL); + if (state->send_domain) + { +- p = do_rfc1035_name(p, state->send_domain); ++ p = do_rfc1035_name(p, state->send_domain, NULL); + *p = 0; + } + } +diff --git a/src/util.c b/src/util.c +index 145e53a..471faa9 100644 +--- a/src/util.c ++++ b/src/util.c +@@ -227,15 +227,20 @@ char *canonicalise(char *in, int *nomem) + return ret; + } + +-unsigned char *do_rfc1035_name(unsigned char *p, char *sval) ++unsigned char *do_rfc1035_name(unsigned char *p, char *sval, char *limit) + { + int j; + + while (sval && *sval) + { ++ if (limit && p + 1 > (unsigned char*)limit) ++ return p; ++ + unsigned char *cp = p++; + for (j = 0; *sval && (*sval != '.'); sval++, j++) + { ++ if (limit && p + 1 > (unsigned char*)limit) ++ return p; + #ifdef HAVE_DNSSEC + if (option_bool(OPT_DNSSEC_VALID) && *sval == NAME_ESCAPE) + *p++ = (*(++sval))-1; +-- +2.9.5 + diff --git a/dnsmasq.spec b/dnsmasq.spec index bf0986c..013ad61 100644 --- a/dnsmasq.spec +++ b/dnsmasq.spec @@ -13,7 +13,7 @@ Name: dnsmasq Version: 2.77 -Release: 7%{?extraversion:.%{extraversion}}%{?dist} +Release: 8%{?extraversion:.%{extraversion}}%{?dist} Summary: A lightweight DHCP/caching DNS server Group: System Environment/Daemons @@ -23,6 +23,7 @@ Source0: http://www.thekelleys.org.uk/dnsmasq/%{?extrapath}%{name}-%{vers Source1: %{name}.service Patch1: dnsmasq-2.77-CVE-2017-13704.patch +Patch2: dnsmasq-2.77-CVE-2017-14491.patch BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) @@ -58,6 +59,7 @@ query/remove a DHCP server's leases. %prep %setup -q -n %{name}-%{version}%{?extraversion} %patch1 -p1 -b .CVE-2017-13704 +%patch2 -p1 -b .CVE-2017-14491 # use /var/lib/dnsmasq instead of /var/lib/misc for file in dnsmasq.conf.example man/dnsmasq.8 man/es/dnsmasq.8 src/config.h; do @@ -144,6 +146,9 @@ rm -rf $RPM_BUILD_ROOT %{_mandir}/man1/dhcp_* %changelog +* Mon Oct 02 2017 Petr Menšík - 2.77-8 +- Security fix, CVE-2017-14491 DNS heap buffer overflow + * Thu Sep 14 2017 Petr Menšík - 2.77-7 - Fix CVE-2017-13704