[LEDE-DEV] [PATCH] dnsmasq: mitigate CVE-2017-13704

Kevin Darbyshire-Bryant kevin at darbyshire-bryant.me.uk
Mon Aug 28 08:36:18 PDT 2017


Work around a problem where answer_request() attempts to clear from the
end of a request to end of request buffer but the end of the buffer is
at the same place as the start.

Originally this meant that memset() tried to clear data before the
buffer leading to segmentation violation.  Instead only clear to end of
buffer it is bigger than the request length.

Signed-off-by: Kevin Darbyshire-Bryant <kevin at darbyshire-bryant.me.uk>
---
 package/network/services/dnsmasq/Makefile          |  2 +-
 .../020-rfc1035-mitigate-CVE-2017-13704.patch      | 35 ++++++++++++++++++++++
 2 files changed, 36 insertions(+), 1 deletion(-)
 create mode 100644 package/network/services/dnsmasq/patches/020-rfc1035-mitigate-CVE-2017-13704.patch

diff --git a/package/network/services/dnsmasq/Makefile b/package/network/services/dnsmasq/Makefile
index d7f14f9..bd7f610 100644
--- a/package/network/services/dnsmasq/Makefile
+++ b/package/network/services/dnsmasq/Makefile
@@ -9,7 +9,7 @@ include $(TOPDIR)/rules.mk
 
 PKG_NAME:=dnsmasq
 PKG_VERSION:=2.77
-PKG_RELEASE:=9
+PKG_RELEASE:=10
 
 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.xz
 PKG_SOURCE_URL:=http://thekelleys.org.uk/dnsmasq/
diff --git a/package/network/services/dnsmasq/patches/020-rfc1035-mitigate-CVE-2017-13704.patch b/package/network/services/dnsmasq/patches/020-rfc1035-mitigate-CVE-2017-13704.patch
new file mode 100644
index 0000000..29b8464
--- /dev/null
+++ b/package/network/services/dnsmasq/patches/020-rfc1035-mitigate-CVE-2017-13704.patch
@@ -0,0 +1,35 @@
+From 340a26f915d8c3bb54c44f58d432cc7240631a74 Mon Sep 17 00:00:00 2001
+From: Kevin Darbyshire-Bryant <kevin at darbyshire-bryant.me.uk>
+Date: Mon, 28 Aug 2017 14:52:10 +0100
+Subject: [PATCH] dnsmasq: rfc1035: mitigate CVE-2017-13704
+
+Work around a problem where answer_request() attempts to clear from the
+end of a request to end of request buffer but the end of the buffer is
+at the same place as the start.
+
+Originally this meant that memset() tried to clear data before the
+buffer leading to segmentation violation.  Instead only clear to end of
+buffer it is bigger than the request length.
+
+Signed-off-by: Kevin Darbyshire-Bryant <kevin at darbyshire-bryant.me.uk>
+---
+ src/rfc1035.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/src/rfc1035.c b/src/rfc1035.c
+index 26f5301..91a9641 100644
+--- a/src/rfc1035.c
++++ b/src/rfc1035.c
+@@ -1225,7 +1225,8 @@ size_t answer_request(struct dns_header *header, char *limit, size_t qlen,
+ 
+   /* Clear buffer beyond request to avoid risk of
+      information disclosure. */
+-  memset(((char *)header) + qlen, 0, 
++  if ( (limit - ((char *)header)) > qlen )
++      memset(((char *)header) + qlen, 0,
+ 	 (limit - ((char *)header)) - qlen);
+   
+   if (ntohs(header->ancount) != 0 ||
+-- 
+2.7.4
+
-- 
2.7.4




More information about the Lede-dev mailing list