[LEDE-DEV] [PATCH] dnsmasq: forward.c: fix CVE-2017-13704
Hans Dedecker
dedeckeh at gmail.com
Tue Aug 29 14:01:31 PDT 2017
On Tue, Aug 29, 2017 at 3:29 PM, Kevin Darbyshire-Bryant
<kevin at darbyshire-bryant.me.uk> wrote:
> Fix SIGSEGV in rfc1035.c answer_request() line 1228 where memset()
> is called with header & limit pointing at the same address and thus
> tries to clear memory from before the buffer begins.
>
> answer_request() is called with an invalid edns packet size provided by
> the client. Ensure the udp_size provided by the client is bounded by
> 512 and configured maximum as per RFC 6891 6.2.3 "Values lower than 512
> MUST be treated as equal to 512"
>
> The client that exposed the problem provided a payload udp size of 0.
>
> Signed-off-by: Kevin Darbyshire-Bryant <kevin at darbyshire-bryant.me.uk>
Acked-by: Hans Dedecker <dedeckeh at gmail.com>
> ---
> package/network/services/dnsmasq/Makefile | 2 +-
> .../dnsmasq/patches/020-fix-CVE-2017-13704.patch | 37 ++++++++++++++++++++++
> 2 files changed, 38 insertions(+), 1 deletion(-)
> create mode 100644 package/network/services/dnsmasq/patches/020-fix-CVE-2017-13704.patch
>
> diff --git a/package/network/services/dnsmasq/Makefile b/package/network/services/dnsmasq/Makefile
> index d7f14f9..bd7f610 100644
> --- a/package/network/services/dnsmasq/Makefile
> +++ b/package/network/services/dnsmasq/Makefile
> @@ -9,7 +9,7 @@ include $(TOPDIR)/rules.mk
>
> PKG_NAME:=dnsmasq
> PKG_VERSION:=2.77
> -PKG_RELEASE:=9
> +PKG_RELEASE:=10
>
> PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.xz
> PKG_SOURCE_URL:=http://thekelleys.org.uk/dnsmasq/
> diff --git a/package/network/services/dnsmasq/patches/025-fix-CVE-2017-13704.patch b/package/network/services/dnsmasq/patches/025-fix-CVE-2017-13704.patch
> new file mode 100644
> index 0000000..8848131
> --- /dev/null
> +++ b/package/network/services/dnsmasq/patches/025-fix-CVE-2017-13704.patch
> @@ -0,0 +1,37 @@
> +From 38af9b1ac3242a4128e88069c495024caa565f0e Mon Sep 17 00:00:00 2001
> +From: Kevin Darbyshire-Bryant <kevin at darbyshire-bryant.me.uk>
> +Date: Tue, 29 Aug 2017 12:35:40 +0100
> +Subject: [PATCH] forward.c: fix CVE-2017-13704
> +
> +Fix SIGSEGV in rfc1035.c answer_request() line 1228 where memset()
> +is called with header & limit pointing at the same address and thus
> +tries to clear memory from before the buffer begins.
> +
> +answer_request() is called with an invalid edns packet size provided by
> +the client. Ensure the udp_size provided by the client is bounded by
> +512 and configured maximum as per RFC 6891 6.2.3 "Values lower than 512
> +MUST be treated as equal to 512"
> +
> +The client that exposed the problem provided a payload udp size of 0.
> +
> +Signed-off-by: Kevin Darbyshire-Bryant <kevin at darbyshire-bryant.me.uk>
> +---
> + src/forward.c | 2 ++
> + 1 file changed, 2 insertions(+)
> +
> +diff --git a/src/forward.c b/src/forward.c
> +index f22556a..62c5a5a 100644
> +--- a/src/forward.c
> ++++ b/src/forward.c
> +@@ -1408,6 +1408,8 @@ void receive_query(struct listener *listen, time_t now)
> + defaults to 512 */
> + if (udp_size > daemon->edns_pktsz)
> + udp_size = daemon->edns_pktsz;
> ++ if (udp_size < 512)
> ++ udp_size = 512; /* RFC 6891 6.2.3 */
> + }
> +
> + #ifdef HAVE_AUTH
> +--
> +2.7.4
> +
> --
> 2.7.4
>
>
> _______________________________________________
> Lede-dev mailing list
> Lede-dev at lists.infradead.org
> http://lists.infradead.org/mailman/listinfo/lede-dev
More information about the Lede-dev
mailing list