Misc code cleanups arising from Google analysis.

No security impleications or CVEs.

Signed-off-by: Petr Menšík <pemensik@redhat.com>
This commit is contained in:
Petr Menšík 2017-10-02 17:13:51 +02:00
parent ce9aecdce0
commit dfac991c15
2 changed files with 66 additions and 0 deletions

View File

@ -0,0 +1,63 @@
From 6a0b00f0d66490e074323d04782e75c4ba8a3f8d Mon Sep 17 00:00:00 2001
From: Simon Kelley <simon@thekelleys.org.uk>
Date: Mon, 25 Sep 2017 20:19:55 +0100
Subject: [PATCH 8/9] Misc code cleanups arising from Google analysis. No
security impleications or CVEs.
---
src/edns0.c | 2 +-
src/rfc1035.c | 4 +++-
src/rfc2131.c | 2 +-
3 files changed, 5 insertions(+), 3 deletions(-)
diff --git a/src/edns0.c b/src/edns0.c
index 89b2692..7ed5a47 100644
--- a/src/edns0.c
+++ b/src/edns0.c
@@ -159,7 +159,7 @@ size_t add_pseudoheader(struct dns_header *header, size_t plen, unsigned char *l
/* delete option if we're to replace it. */
p -= 4;
rdlen -= len + 4;
- memcpy(p, p+len+4, rdlen - i);
+ memmove(p, p+len+4, rdlen - i);
PUTSHORT(rdlen, lenp);
lenp -= 2;
}
diff --git a/src/rfc1035.c b/src/rfc1035.c
index 826f8a4..27af023 100644
--- a/src/rfc1035.c
+++ b/src/rfc1035.c
@@ -37,7 +37,7 @@ int extract_name(struct dns_header *header, size_t plen, unsigned char **pp,
/* end marker */
{
/* check that there are the correct no of bytes after the name */
- if (!CHECK_LEN(header, p, plen, extrabytes))
+ if (!CHECK_LEN(header, p1 ? p1 : p, plen, extrabytes))
return 0;
if (isExtract)
@@ -498,6 +498,8 @@ static unsigned char *do_doctor(unsigned char *p, int count, struct dns_header *
{
unsigned int i, len = *p1;
unsigned char *p2 = p1;
+ if ((p1 + len - p) >= rdlen)
+ return 0; /* bad packet */
/* make counted string zero-term and sanitise */
for (i = 0; i < len; i++)
{
diff --git a/src/rfc2131.c b/src/rfc2131.c
index f7c1f80..f3a7e53 100644
--- a/src/rfc2131.c
+++ b/src/rfc2131.c
@@ -157,7 +157,7 @@ size_t dhcp_reply(struct dhcp_context *context, char *iface_name, int int_index,
for (offset = 0; offset < (len - 5); offset += elen + 5)
{
elen = option_uint(opt, offset + 4 , 1);
- if (option_uint(opt, offset, 4) == BRDBAND_FORUM_IANA)
+ if (option_uint(opt, offset, 4) == BRDBAND_FORUM_IANA && offset + elen + 5 <= len)
{
unsigned char *x = option_ptr(opt, offset + 5);
unsigned char *y = option_ptr(opt, offset + elen + 5);
--
2.9.5

View File

@ -29,6 +29,7 @@ Patch4: dnsmasq-2.77-CVE-2017-14493.patch
Patch5: dnsmasq-2.77-CVE-2017-14494.patch Patch5: dnsmasq-2.77-CVE-2017-14494.patch
Patch6: dnsmasq-2.77-CVE-2017-14496.patch Patch6: dnsmasq-2.77-CVE-2017-14496.patch
Patch7: dnsmasq-2.77-CVE-2017-14495.patch Patch7: dnsmasq-2.77-CVE-2017-14495.patch
Patch8: dnsmasq-2.77-misc-cleanups.patch
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
@ -70,6 +71,7 @@ query/remove a DHCP server's leases.
%patch5 -p1 -b .CVE-2017-14494 %patch5 -p1 -b .CVE-2017-14494
%patch6 -p1 -b .CVE-2017-14496 %patch6 -p1 -b .CVE-2017-14496
%patch7 -p1 -b .CVE-2017-14495 %patch7 -p1 -b .CVE-2017-14495
%patch8 -p1 -b .misc-cleanups
# use /var/lib/dnsmasq instead of /var/lib/misc # use /var/lib/dnsmasq instead of /var/lib/misc
for file in dnsmasq.conf.example man/dnsmasq.8 man/es/dnsmasq.8 src/config.h; do for file in dnsmasq.conf.example man/dnsmasq.8 man/es/dnsmasq.8 src/config.h; do
@ -163,6 +165,7 @@ rm -rf $RPM_BUILD_ROOT
- Security fix, CVE-2017-14494, Infoleak handling DHCPv6 - Security fix, CVE-2017-14494, Infoleak handling DHCPv6
- Security fix, CVE-2017-14496, Integer underflow in DNS response creation - Security fix, CVE-2017-14496, Integer underflow in DNS response creation
- Security fix, CVE-2017-14495, OOM in DNS response creation - Security fix, CVE-2017-14495, OOM in DNS response creation
- Misc code cleanups arising from Google analysis
* Thu Sep 14 2017 Petr Menšík <pemensik@redhat.com> - 2.77-7 * Thu Sep 14 2017 Petr Menšík <pemensik@redhat.com> - 2.77-7
- Fix CVE-2017-13704 - Fix CVE-2017-13704