From e66c11835ddc2aeb2708c810432e78c3126658f0 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= <pemensik@redhat.com>
Date: Tue, 26 Sep 2017 17:55:20 +0200
Subject: [PATCH] Security fix, CVE-2017-14494, Infoleak handling DHCPv6
 forwarded requests.
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

    Fix information leak in DHCPv6. A crafted DHCPv6 packet can
    cause dnsmasq to forward memory from outside the packet
    buffer to a DHCPv6 server when acting as a relay.

Signed-off-by: Petr Menšík <pemensik@redhat.com>
---
 dnsmasq-2.77-CVE-2017-14494.patch | 30 ++++++++++++++++++++++++++++++
 dnsmasq.spec                      |  3 +++
 2 files changed, 33 insertions(+)
 create mode 100644 dnsmasq-2.77-CVE-2017-14494.patch

diff --git a/dnsmasq-2.77-CVE-2017-14494.patch b/dnsmasq-2.77-CVE-2017-14494.patch
new file mode 100644
index 0000000..7b49907
--- /dev/null
+++ b/dnsmasq-2.77-CVE-2017-14494.patch
@@ -0,0 +1,30 @@
+From 33e3f1029c9ec6c63e430ff51063a6301d4b2262 Mon Sep 17 00:00:00 2001
+From: Simon Kelley <simon@thekelleys.org.uk>
+Date: Mon, 25 Sep 2017 20:05:11 +0100
+Subject: [PATCH 5/9] Security fix, CVE-2017-14494, Infoleak handling DHCPv6
+ forwarded requests.
+
+Fix information leak in DHCPv6. A crafted DHCPv6 packet can
+cause dnsmasq to forward memory from outside the packet
+buffer to a DHCPv6 server when acting as a relay.
+---
+ src/rfc3315.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/src/rfc3315.c b/src/rfc3315.c
+index 920907c..4ca43e0 100644
+--- a/src/rfc3315.c
++++ b/src/rfc3315.c
+@@ -216,6 +216,9 @@ static int dhcp6_maybe_relay(struct state *state, void *inbuff, size_t sz,
+   
+   for (opt = opts; opt; opt = opt6_next(opt, end))
+     {
++      if (opt6_ptr(opt, 0) + opt6_len(opt) >= end) {
++        return 0;
++      }
+       int o = new_opt6(opt6_type(opt));
+       if (opt6_type(opt) == OPTION6_RELAY_MSG)
+ 	{
+-- 
+2.9.5
+
diff --git a/dnsmasq.spec b/dnsmasq.spec
index 9583493..a3a437d 100644
--- a/dnsmasq.spec
+++ b/dnsmasq.spec
@@ -26,6 +26,7 @@ Patch1:         dnsmasq-2.77-CVE-2017-13704.patch
 Patch2:         dnsmasq-2.77-CVE-2017-14491.patch
 Patch3:         dnsmasq-2.77-CVE-2017-14492.patch
 Patch4:         dnsmasq-2.77-CVE-2017-14493.patch
+Patch5:         dnsmasq-2.77-CVE-2017-14494.patch
 
 BuildRoot:      %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
 
@@ -64,6 +65,7 @@ query/remove a DHCP server's leases.
 %patch2 -p1 -b .CVE-2017-14491
 %patch3 -p1 -b .CVE-2017-14492
 %patch4 -p1 -b .CVE-2017-14493
+%patch5 -p1 -b .CVE-2017-14494
 
 # use /var/lib/dnsmasq instead of /var/lib/misc
 for file in dnsmasq.conf.example man/dnsmasq.8 man/es/dnsmasq.8 src/config.h; do
@@ -154,6 +156,7 @@ rm -rf $RPM_BUILD_ROOT
 - Security fix, CVE-2017-14491, DNS heap buffer overflow
 - Security fix, CVE-2017-14492, DHCPv6 RA heap overflow
 - Security fix, CVE-2017-14493, DHCPv6 - Stack buffer overflow
+- Security fix, CVE-2017-14494, Infoleak handling DHCPv6
 
 * Thu Sep 14 2017 Petr Menšík <pemensik@redhat.com> - 2.77-7
 - Fix CVE-2017-13704