+++ /dev/null
-From 5ab67e936085a9e584c9b3e43f442ef5bee7f40e Mon Sep 17 00:00:00 2001
-From: Simon Kelley <simon@thekelleys.org.uk>
-Date: Mon, 25 Sep 2017 20:11:58 +0100
-Subject: [PATCH 5/9] Security fix, CVE-2017-14496, Integer underflow in
- DNS response creation.
-
- Fix DoS in DNS. Invalid boundary checks in the
- add_pseudoheader function allows a memcpy call with negative
- size An attacker which can send malicious DNS queries
- to dnsmasq can trigger a DoS remotely.
- dnsmasq is vulnerable only if one of the following option is
- specified: --add-mac, --add-cpe-id or --add-subnet.
----
- src/edns0.c | 13 ++++++++++++-
- 1 file changed, 12 insertions(+), 1 deletion(-)
-
-diff --git a/src/edns0.c b/src/edns0.c
-index d2b514b..eed135e 100644
---- a/src/edns0.c
-+++ b/src/edns0.c
-@@ -144,7 +144,7 @@ size_t add_pseudoheader(struct dns_header *header, size_t plen, unsigned char *l
- GETSHORT(len, p);
-
- /* malformed option, delete the whole OPT RR and start again. */
-- if (i + len > rdlen)
-+ if (i + 4 + len > rdlen)
- {
- rdlen = 0;
- is_last = 0;
-@@ -193,6 +193,8 @@ size_t add_pseudoheader(struct dns_header *header, size_t plen, unsigned char *l
- ntohs(header->ancount) + ntohs(header->nscount) + ntohs(header->arcount),
- header, plen)))
- return plen;
-+ if (p + 11 > limit)
-+ return plen; /* Too big */
- *p++ = 0; /* empty name */
- PUTSHORT(T_OPT, p);
- PUTSHORT(udp_sz, p); /* max packet length, 512 if not given in EDNS0 header */
-@@ -204,6 +206,11 @@ size_t add_pseudoheader(struct dns_header *header, size_t plen, unsigned char *l
- /* Copy back any options */
- if (buff)
- {
-+ if (p + rdlen > limit)
-+ {
-+ free(buff);
-+ return plen; /* Too big */
-+ }
- memcpy(p, buff, rdlen);
- free(buff);
- p += rdlen;
-@@ -217,8 +224,12 @@ size_t add_pseudoheader(struct dns_header *header, size_t plen, unsigned char *l
- /* Add new option */
- if (optno != 0 && replace != 2)
- {
-+ if (p + 4 > limit)
-+ return plen; /* Too big */
- PUTSHORT(optno, p);
- PUTSHORT(optlen, p);
-+ if (p + optlen > limit)
-+ return plen; /* Too big */
- memcpy(p, opt, optlen);
- p += optlen;
- PUTSHORT(p - datap, lenp);
---
-2.9.5
-