Misc code cleanups arising from Google analysis.
No security impleications or CVEs. Signed-off-by: Petr Menšík <pemensik@redhat.com>
This commit is contained in:
Petr Menšík
parent
ce9aecdce0
commit
dfac991c15
|
|
@ -0,0 +1,63 @@
|
|||
From 6a0b00f0d66490e074323d04782e75c4ba8a3f8d Mon Sep 17 00:00:00 2001
|
||||
From: Simon Kelley <simon@thekelleys.org.uk>
|
||||
Date: Mon, 25 Sep 2017 20:19:55 +0100
|
||||
Subject: [PATCH 8/9] Misc code cleanups arising from Google analysis. No
|
||||
security impleications or CVEs.
|
||||
|
||||
---
|
||||
src/edns0.c | 2 +-
|
||||
src/rfc1035.c | 4 +++-
|
||||
src/rfc2131.c | 2 +-
|
||||
3 files changed, 5 insertions(+), 3 deletions(-)
|
||||
|
||||
diff --git a/src/edns0.c b/src/edns0.c
|
||||
index 89b2692..7ed5a47 100644
|
||||
--- a/src/edns0.c
|
||||
+++ b/src/edns0.c
|
||||
@@ -159,7 +159,7 @@ size_t add_pseudoheader(struct dns_header *header, size_t plen, unsigned char *l
|
||||
/* delete option if we're to replace it. */
|
||||
p -= 4;
|
||||
rdlen -= len + 4;
|
||||
- memcpy(p, p+len+4, rdlen - i);
|
||||
+ memmove(p, p+len+4, rdlen - i);
|
||||
PUTSHORT(rdlen, lenp);
|
||||
lenp -= 2;
|
||||
}
|
||||
diff --git a/src/rfc1035.c b/src/rfc1035.c
|
||||
index 826f8a4..27af023 100644
|
||||
--- a/src/rfc1035.c
|
||||
+++ b/src/rfc1035.c
|
||||
@@ -37,7 +37,7 @@ int extract_name(struct dns_header *header, size_t plen, unsigned char **pp,
|
||||
/* end marker */
|
||||
{
|
||||
/* check that there are the correct no of bytes after the name */
|
||||
- if (!CHECK_LEN(header, p, plen, extrabytes))
|
||||
+ if (!CHECK_LEN(header, p1 ? p1 : p, plen, extrabytes))
|
||||
return 0;
|
||||
|
||||
if (isExtract)
|
||||
@@ -498,6 +498,8 @@ static unsigned char *do_doctor(unsigned char *p, int count, struct dns_header *
|
||||
{
|
||||
unsigned int i, len = *p1;
|
||||
unsigned char *p2 = p1;
|
||||
+ if ((p1 + len - p) >= rdlen)
|
||||
+ return 0; /* bad packet */
|
||||
/* make counted string zero-term and sanitise */
|
||||
for (i = 0; i < len; i++)
|
||||
{
|
||||
diff --git a/src/rfc2131.c b/src/rfc2131.c
|
||||
index f7c1f80..f3a7e53 100644
|
||||
--- a/src/rfc2131.c
|
||||
+++ b/src/rfc2131.c
|
||||
@@ -157,7 +157,7 @@ size_t dhcp_reply(struct dhcp_context *context, char *iface_name, int int_index,
|
||||
for (offset = 0; offset < (len - 5); offset += elen + 5)
|
||||
{
|
||||
elen = option_uint(opt, offset + 4 , 1);
|
||||
- if (option_uint(opt, offset, 4) == BRDBAND_FORUM_IANA)
|
||||
+ if (option_uint(opt, offset, 4) == BRDBAND_FORUM_IANA && offset + elen + 5 <= len)
|
||||
{
|
||||
unsigned char *x = option_ptr(opt, offset + 5);
|
||||
unsigned char *y = option_ptr(opt, offset + elen + 5);
|
||||
--
|
||||
2.9.5
|
||||
|
||||
|
|
@ -29,6 +29,7 @@ Patch4: dnsmasq-2.77-CVE-2017-14493.patch
|
|||
Patch5: dnsmasq-2.77-CVE-2017-14494.patch
|
||||
Patch6: dnsmasq-2.77-CVE-2017-14496.patch
|
||||
Patch7: dnsmasq-2.77-CVE-2017-14495.patch
|
||||
Patch8: dnsmasq-2.77-misc-cleanups.patch
|
||||
|
||||
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
|
||||
|
||||
|
|
@ -70,6 +71,7 @@ query/remove a DHCP server's leases.
|
|||
%patch5 -p1 -b .CVE-2017-14494
|
||||
%patch6 -p1 -b .CVE-2017-14496
|
||||
%patch7 -p1 -b .CVE-2017-14495
|
||||
%patch8 -p1 -b .misc-cleanups
|
||||
|
||||
# use /var/lib/dnsmasq instead of /var/lib/misc
|
||||
for file in dnsmasq.conf.example man/dnsmasq.8 man/es/dnsmasq.8 src/config.h; do
|
||||
|
|
@ -163,6 +165,7 @@ rm -rf $RPM_BUILD_ROOT
|
|||
- Security fix, CVE-2017-14494, Infoleak handling DHCPv6
|
||||
- Security fix, CVE-2017-14496, Integer underflow in DNS response creation
|
||||
- Security fix, CVE-2017-14495, OOM in DNS response creation
|
||||
- Misc code cleanups arising from Google analysis
|
||||
|
||||
* Thu Sep 14 2017 Petr Menšík <pemensik@redhat.com> - 2.77-7
|
||||
- Fix CVE-2017-13704
|
||||
|
|
|
|||
Loading…
Reference in New Issue