diff options
Diffstat (limited to 'package/network/services/dnsmasq/patches/025-backport-fix-CVE-2017-13704.patch')
-rw-r--r-- | package/network/services/dnsmasq/patches/025-backport-fix-CVE-2017-13704.patch | 94 |
1 files changed, 0 insertions, 94 deletions
diff --git a/package/network/services/dnsmasq/patches/025-backport-fix-CVE-2017-13704.patch b/package/network/services/dnsmasq/patches/025-backport-fix-CVE-2017-13704.patch deleted file mode 100644 index bba9a08060..0000000000 --- a/package/network/services/dnsmasq/patches/025-backport-fix-CVE-2017-13704.patch +++ /dev/null @@ -1,94 +0,0 @@ -From 63437ffbb58837b214b4b92cb1c54bc5f3279928 Mon Sep 17 00:00:00 2001 -From: Simon Kelley <simon@thekelleys.org.uk> -Date: Wed, 6 Sep 2017 22:34:21 +0100 -Subject: [PATCH] Fix CVE-2017-13704, which resulted in a crash on a large DNS - query. - -A DNS query recieved by UDP which exceeds 512 bytes (or the EDNS0 packet size, -if different.) is enough to cause SIGSEGV. ---- - CHANGELOG | 7 +++++++ - src/auth.c | 5 ----- - src/forward.c | 8 ++++++++ - src/rfc1035.c | 5 ----- - 4 files changed, 15 insertions(+), 10 deletions(-) - -diff --git a/CHANGELOG b/CHANGELOG -index 3a640f3..7e65912 100644 ---- a/CHANGELOG -+++ b/CHANGELOG -@@ -17,6 +17,13 @@ version 2.78 - --strict-order active. Thanks to Hans Dedecker - for the patch - -+ Fix regression in 2.77, ironically added as a security -+ improvement, which resulted in a crash when a DNS -+ query exceeded 512 bytes (or the EDNS0 packet size, -+ if different.) Thanks to Christian Kujau, Arne Woerner -+ Juan Manuel Fernandez and Kevin Darbyshire-Bryant for -+ chasing this one down. CVE-2017-13704 applies. -+ - - version 2.77 - Generate an error when configured with a CNAME loop, -diff --git a/src/auth.c b/src/auth.c -index 2c24e16..7f95f98 100644 ---- a/src/auth.c -+++ b/src/auth.c -@@ -119,11 +119,6 @@ size_t answer_auth(struct dns_header *header, char *limit, size_t qlen, time_t n - struct cname *a, *candidate; - unsigned int wclen; - -- /* Clear buffer beyond request to avoid risk of -- information disclosure. */ -- memset(((char *)header) + qlen, 0, -- (limit - ((char *)header)) - qlen); -- - if (ntohs(header->qdcount) == 0 || OPCODE(header) != QUERY ) - return 0; - -diff --git a/src/forward.c b/src/forward.c -index f22556a..e3fa94b 100644 ---- a/src/forward.c -+++ b/src/forward.c -@@ -1188,6 +1188,10 @@ void receive_query(struct listener *listen, time_t now) - (msg.msg_flags & MSG_TRUNC) || - (header->hb3 & HB3_QR)) - return; -+ -+ /* Clear buffer beyond request to avoid risk of -+ information disclosure. */ -+ memset(daemon->packet + n, 0, daemon->edns_pktsz - n); - - source_addr.sa.sa_family = listen->family; - -@@ -1688,6 +1692,10 @@ unsigned char *tcp_request(int confd, time_t now, - - if (size < (int)sizeof(struct dns_header)) - continue; -+ -+ /* Clear buffer beyond request to avoid risk of -+ information disclosure. */ -+ memset(payload + size, 0, 65536 - size); - - query_count++; - -diff --git a/src/rfc1035.c b/src/rfc1035.c -index 26f5301..af2fe46 100644 ---- a/src/rfc1035.c -+++ b/src/rfc1035.c -@@ -1223,11 +1223,6 @@ size_t answer_request(struct dns_header *header, char *limit, size_t qlen, - struct mx_srv_record *rec; - size_t len; - -- /* Clear buffer beyond request to avoid risk of -- information disclosure. */ -- memset(((char *)header) + qlen, 0, -- (limit - ((char *)header)) - qlen); -- - if (ntohs(header->ancount) != 0 || - ntohs(header->nscount) != 0 || - ntohs(header->qdcount) == 0 || --- -1.7.10.4 - |