aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorKevin Darbyshire-Bryant <kevin@darbyshire-bryant.me.uk>2017-08-29 14:29:18 +0100
committerHans Dedecker <dedeckeh@gmail.com>2017-08-30 21:12:49 +0200
commita006b48c04543947e1e924972a9026824bdc3d29 (patch)
tree74f39b374475232702ee2f9e4c866ac12d5252cc
parentdc8392f6a1ca1ec50306af390576d4a19e9a9290 (diff)
downloadupstream-a006b48c04543947e1e924972a9026824bdc3d29.tar.gz
upstream-a006b48c04543947e1e924972a9026824bdc3d29.tar.bz2
upstream-a006b48c04543947e1e924972a9026824bdc3d29.zip
dnsmasq: forward.c: fix CVE-2017-13704
Fix SIGSEGV in rfc1035.c answer_request() line 1228 where memset() is called with header & limit pointing at the same address and thus tries to clear memory from before the buffer begins. answer_request() is called with an invalid edns packet size provided by the client. Ensure the udp_size provided by the client is bounded by 512 and configured maximum as per RFC 6891 6.2.3 "Values lower than 512 MUST be treated as equal to 512" The client that exposed the problem provided a payload udp size of 0. Signed-off-by: Kevin Darbyshire-Bryant <kevin@darbyshire-bryant.me.uk> Acked-by: Hans Dedecker <dedeckeh@gmail.com>
-rw-r--r--package/network/services/dnsmasq/Makefile2
-rw-r--r--package/network/services/dnsmasq/patches/025-fix-CVE-2017-13704.patch37
2 files changed, 38 insertions, 1 deletions
diff --git a/package/network/services/dnsmasq/Makefile b/package/network/services/dnsmasq/Makefile
index a169edba62..dda11dbfed 100644
--- a/package/network/services/dnsmasq/Makefile
+++ b/package/network/services/dnsmasq/Makefile
@@ -9,7 +9,7 @@ include $(TOPDIR)/rules.mk
PKG_NAME:=dnsmasq
PKG_VERSION:=2.77
-PKG_RELEASE:=3
+PKG_RELEASE:=4
PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.xz
PKG_SOURCE_URL:=http://thekelleys.org.uk/dnsmasq/
diff --git a/package/network/services/dnsmasq/patches/025-fix-CVE-2017-13704.patch b/package/network/services/dnsmasq/patches/025-fix-CVE-2017-13704.patch
new file mode 100644
index 0000000000..8848131dac
--- /dev/null
+++ b/package/network/services/dnsmasq/patches/025-fix-CVE-2017-13704.patch
@@ -0,0 +1,37 @@
+From 38af9b1ac3242a4128e88069c495024caa565f0e Mon Sep 17 00:00:00 2001
+From: Kevin Darbyshire-Bryant <kevin@darbyshire-bryant.me.uk>
+Date: Tue, 29 Aug 2017 12:35:40 +0100
+Subject: [PATCH] forward.c: fix CVE-2017-13704
+
+Fix SIGSEGV in rfc1035.c answer_request() line 1228 where memset()
+is called with header & limit pointing at the same address and thus
+tries to clear memory from before the buffer begins.
+
+answer_request() is called with an invalid edns packet size provided by
+the client. Ensure the udp_size provided by the client is bounded by
+512 and configured maximum as per RFC 6891 6.2.3 "Values lower than 512
+MUST be treated as equal to 512"
+
+The client that exposed the problem provided a payload udp size of 0.
+
+Signed-off-by: Kevin Darbyshire-Bryant <kevin@darbyshire-bryant.me.uk>
+---
+ src/forward.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/src/forward.c b/src/forward.c
+index f22556a..62c5a5a 100644
+--- a/src/forward.c
++++ b/src/forward.c
+@@ -1408,6 +1408,8 @@ void receive_query(struct listener *listen, time_t now)
+ defaults to 512 */
+ if (udp_size > daemon->edns_pktsz)
+ udp_size = daemon->edns_pktsz;
++ if (udp_size < 512)
++ udp_size = 512; /* RFC 6891 6.2.3 */
+ }
+
+ #ifdef HAVE_AUTH
+--
+2.7.4
+