--- /dev/null
+From 8868a04895b27d42d42e364f1a0c0196c1505b04 Mon Sep 17 00:00:00 2001
+From: Simon Kelley <simon@thekelleys.org.uk>
+Date: Mon, 25 Sep 2017 18:17:11 +0100
+Subject: [PATCH 1/9] Security fix, CVE-2017-14491 DNS heap buffer
+ overflow.
+
+ Fix heap overflow in DNS code. This is a potentially serious
+ security hole. It allows an attacker who can make DNS
+ requests to dnsmasq, and who controls the contents of
+ a domain, which is thereby queried, to overflow
+ (by 2 bytes) a heap buffer and either crash, or
+ even take control of, dnsmasq.
+---
+ src/dnsmasq.h | 2 +-
+ src/dnssec.c | 2 +-
+ src/option.c | 2 +-
+ src/rfc1035.c | 50 +++++++++++++++++++++++++++++++++++++++++---------
+ src/rfc2131.c | 4 ++--
+ src/rfc3315.c | 4 ++--
+ src/util.c | 7 ++++++-
+ 7 files changed, 54 insertions(+), 17 deletions(-)
+
+diff --git a/src/dnsmasq.h b/src/dnsmasq.h
+index 1179492..06e5579 100644
+--- a/src/dnsmasq.h
++++ b/src/dnsmasq.h
+@@ -1162,7 +1162,7 @@ u32 rand32(void);
+ u64 rand64(void);
+ int legal_hostname(char *c);
+ char *canonicalise(char *s, int *nomem);
+-unsigned char *do_rfc1035_name(unsigned char *p, char *sval);
++unsigned char *do_rfc1035_name(unsigned char *p, char *sval, char *limit);
+ void *safe_malloc(size_t size);
+ void safe_pipe(int *fd, int read_noblock);
+ void *whine_malloc(size_t size);
+diff --git a/src/dnssec.c b/src/dnssec.c
+index 3c77c7d..f45c804 100644
+--- a/src/dnssec.c
++++ b/src/dnssec.c
+@@ -2227,7 +2227,7 @@ size_t dnssec_generate_query(struct dns_header *header, unsigned char *end, char
+
+ p = (unsigned char *)(header+1);
+
+- p = do_rfc1035_name(p, name);
++ p = do_rfc1035_name(p, name, NULL);
+ *p++ = 0;
+ PUTSHORT(type, p);
+ PUTSHORT(class, p);
+diff --git a/src/option.c b/src/option.c
+index eb78b1a..3469f53 100644
+--- a/src/option.c
++++ b/src/option.c
+@@ -1378,7 +1378,7 @@ static int parse_dhcp_opt(char *errstr, char *arg, int flags)
+ }
+
+ p = newp;
+- end = do_rfc1035_name(p + len, dom);
++ end = do_rfc1035_name(p + len, dom, NULL);
+ *end++ = 0;
+ len = end - p;
+ free(dom);
+diff --git a/src/rfc1035.c b/src/rfc1035.c
+index 24d08c1..78410d6 100644
+--- a/src/rfc1035.c
++++ b/src/rfc1035.c
+@@ -1049,6 +1049,7 @@ int check_for_ignored_address(struct dns_header *header, size_t qlen, struct bog
+ return 0;
+ }
+
++
+ int add_resource_record(struct dns_header *header, char *limit, int *truncp, int nameoffset, unsigned char **pp,
+ unsigned long ttl, int *offset, unsigned short type, unsigned short class, char *format, ...)
+ {
+@@ -1058,12 +1059,21 @@ int add_resource_record(struct dns_header *header, char *limit, int *truncp, int
+ unsigned short usval;
+ long lval;
+ char *sval;
++#define CHECK_LIMIT(size) \
++ if (limit && p + (size) > (unsigned char*)limit) \
++ { \
++ va_end(ap); \
++ goto truncated; \
++ }
+
+ if (truncp && *truncp)
+ return 0;
+-
++
+ va_start(ap, format); /* make ap point to 1st unamed argument */
+-
++
++ /* nameoffset (1 or 2) + type (2) + class (2) + ttl (4) + 0 (2) */
++ CHECK_LIMIT(12);
++
+ if (nameoffset > 0)
+ {
+ PUTSHORT(nameoffset | 0xc000, p);
+@@ -1072,7 +1082,13 @@ int add_resource_record(struct dns_header *header, char *limit, int *truncp, int
+ {
+ char *name = va_arg(ap, char *);
+ if (name)
+- p = do_rfc1035_name(p, name);
++ p = do_rfc1035_name(p, name, limit);
++ if (!p)
++ {
++ va_end(ap);
++ goto truncated;
++ }
++
+ if (nameoffset < 0)
+ {
+ PUTSHORT(-nameoffset | 0xc000, p);
+@@ -1093,6 +1109,7 @@ int add_resource_record(struct dns_header *header, char *limit, int *truncp, int
+ {
+ #ifdef HAVE_IPV6
+ case '6':
++ CHECK_LIMIT(IN6ADDRSZ);
+ sval = va_arg(ap, char *);
+ memcpy(p, sval, IN6ADDRSZ);
+ p += IN6ADDRSZ;
+@@ -1100,36 +1117,47 @@ int add_resource_record(struct dns_header *header, char *limit, int *truncp, int
+ #endif
+
+ case '4':
++ CHECK_LIMIT(INADDRSZ);
+ sval = va_arg(ap, char *);
+ memcpy(p, sval, INADDRSZ);
+ p += INADDRSZ;
+ break;
+
+ case 'b':
++ CHECK_LIMIT(1);
+ usval = va_arg(ap, int);
+ *p++ = usval;
+ break;
+
+ case 's':
++ CHECK_LIMIT(2);
+ usval = va_arg(ap, int);
+ PUTSHORT(usval, p);
+ break;
+
+ case 'l':
++ CHECK_LIMIT(4);
+ lval = va_arg(ap, long);
+ PUTLONG(lval, p);
+ break;
+
+ case 'd':
+- /* get domain-name answer arg and store it in RDATA field */
+- if (offset)
+- *offset = p - (unsigned char *)header;
+- p = do_rfc1035_name(p, va_arg(ap, char *));
+- *p++ = 0;
++ /* get domain-name answer arg and store it in RDATA field */
++ if (offset)
++ *offset = p - (unsigned char *)header;
++ p = do_rfc1035_name(p, va_arg(ap, char *), limit);
++ if (!p)
++ {
++ va_end(ap);
++ goto truncated;
++ }
++ CHECK_LIMIT(1);
++ *p++ = 0;
+ break;
+
+ case 't':
+ usval = va_arg(ap, int);
++ CHECK_LIMIT(usval);
+ sval = va_arg(ap, char *);
+ if (usval != 0)
+ memcpy(p, sval, usval);
+@@ -1141,20 +1169,24 @@ int add_resource_record(struct dns_header *header, char *limit, int *truncp, int
+ usval = sval ? strlen(sval) : 0;
+ if (usval > 255)
+ usval = 255;
++ CHECK_LIMIT(usval + 1);
+ *p++ = (unsigned char)usval;
+ memcpy(p, sval, usval);
+ p += usval;
+ break;
+ }
+
++#undef CHECK_LIMIT
+ va_end(ap); /* clean up variable argument pointer */
+
+ j = p - sav - 2;
+- PUTSHORT(j, sav); /* Now, store real RDLength */
++ /* this has already been checked against limit before */
++ PUTSHORT(j, sav); /* Now, store real RDLength */
+
+ /* check for overflow of buffer */
+ if (limit && ((unsigned char *)limit - p) < 0)
+ {
++truncated:
+ if (truncp)
+ *truncp = 1;
+ return 0;
+diff --git a/src/rfc2131.c b/src/rfc2131.c
+index 8b99d4b..75893a6 100644
+--- a/src/rfc2131.c
++++ b/src/rfc2131.c
+@@ -2420,10 +2420,10 @@ static void do_options(struct dhcp_context *context,
+
+ if (fqdn_flags & 0x04)
+ {
+- p = do_rfc1035_name(p, hostname);
++ p = do_rfc1035_name(p, hostname, NULL);
+ if (domain)
+ {
+- p = do_rfc1035_name(p, domain);
++ p = do_rfc1035_name(p, domain, NULL);
+ *p++ = 0;
+ }
+ }
+diff --git a/src/rfc3315.c b/src/rfc3315.c
+index 3f4d69c..73bdee4 100644
+--- a/src/rfc3315.c
++++ b/src/rfc3315.c
+@@ -1472,10 +1472,10 @@ static struct dhcp_netid *add_options(struct state *state, int do_refresh)
+ if ((p = expand(len + 2)))
+ {
+ *(p++) = state->fqdn_flags;
+- p = do_rfc1035_name(p, state->hostname);
++ p = do_rfc1035_name(p, state->hostname, NULL);
+ if (state->send_domain)
+ {
+- p = do_rfc1035_name(p, state->send_domain);
++ p = do_rfc1035_name(p, state->send_domain, NULL);
+ *p = 0;
+ }
+ }
+diff --git a/src/util.c b/src/util.c
+index 1a9f228..be9f8a6 100644
+--- a/src/util.c
++++ b/src/util.c
+@@ -218,15 +218,20 @@ char *canonicalise(char *in, int *nomem)
+ return ret;
+ }
+
+-unsigned char *do_rfc1035_name(unsigned char *p, char *sval)
++unsigned char *do_rfc1035_name(unsigned char *p, char *sval, char *limit)
+ {
+ int j;
+
+ while (sval && *sval)
+ {
++ if (limit && p + 1 > (unsigned char*)limit)
++ return p;
++
+ unsigned char *cp = p++;
+ for (j = 0; *sval && (*sval != '.'); sval++, j++)
+ {
++ if (limit && p + 1 > (unsigned char*)limit)
++ return p;
+ #ifdef HAVE_DNSSEC
+ if (option_bool(OPT_DNSSEC_VALID) && *sval == NAME_ESCAPE)
+ *p++ = (*(++sval))-1;
+--
+2.9.5
+
Code Review / pti / rtp.git / blobdiff