X-Git-Url: https://gerrit.o-ran-sc.org/r/gitweb?a=blobdiff_plain;f=meta-stx%2Frecipes-support%2Fdnsmasq%2Fdnsmasq%2Fstx%2Fdnsmasq-2.76-CVE-2017-14491-2.patch;fp=meta-stx%2Frecipes-support%2Fdnsmasq%2Fdnsmasq%2Fstx%2Fdnsmasq-2.76-CVE-2017-14491-2.patch;h=393556619453abd29506edb4ecfaef23b92e6f2c;hb=d41692264a2b1a54082ef936d2830cd9d4fa6b62;hp=0000000000000000000000000000000000000000;hpb=4bed284cd2c43e567f233632ae159b6395b05995;p=pti%2Frtp.git

diff --git a/meta-stx/recipes-support/dnsmasq/dnsmasq/stx/dnsmasq-2.76-CVE-2017-14491-2.patch b/meta-stx/recipes-support/dnsmasq/dnsmasq/stx/dnsmasq-2.76-CVE-2017-14491-2.patch
new file mode 100644
index 0000000..3935566
--- /dev/null
+++ b/meta-stx/recipes-support/dnsmasq/dnsmasq/stx/dnsmasq-2.76-CVE-2017-14491-2.patch
@@ -0,0 +1,68 @@
+From 62cb936cb7ad5f219715515ae7d32dd281a5aa1f Mon Sep 17 00:00:00 2001
+From: Simon Kelley <simon@thekelleys.org.uk>
+Date: Tue, 26 Sep 2017 22:00:11 +0100
+Subject: Security fix, CVE-2017-14491, DNS heap buffer overflow.
+
+Further fix to 0549c73b7ea6b22a3c49beb4d432f185a81efcbc
+Handles case when RR name is not a pointer to the question,
+only occurs for some auth-mode replies, therefore not
+detected by fuzzing (?)
+---
+ src/rfc1035.c | 27 +++++++++++++++------------
+ 1 file changed, 15 insertions(+), 12 deletions(-)
+
+diff --git a/src/rfc1035.c b/src/rfc1035.c
+index 27af023..56ab88b 100644
+--- a/src/rfc1035.c
++++ b/src/rfc1035.c
+@@ -1086,32 +1086,35 @@ int add_resource_record(struct dns_header *header, char *limit, int *truncp, int
+ 
+   va_start(ap, format);   /* make ap point to 1st unamed argument */
+ 
+-  /* nameoffset (1 or 2) + type (2) + class (2) + ttl (4) + 0 (2) */
+-  CHECK_LIMIT(12);
+-
+   if (nameoffset > 0)
+     {
++      CHECK_LIMIT(2);
+       PUTSHORT(nameoffset | 0xc000, p);
+     }
+   else
+     {
+       char *name = va_arg(ap, char *);
+-      if (name)
+-	p = do_rfc1035_name(p, name, limit);
+-        if (!p)
+-          {
+-            va_end(ap);
+-            goto truncated;
+-          }
+-
++      if (name && !(p = do_rfc1035_name(p, name, limit)))
++	{
++	  va_end(ap);
++	  goto truncated;
++	}
++      
+       if (nameoffset < 0)
+ 	{
++	  CHECK_LIMIT(2);
+ 	  PUTSHORT(-nameoffset | 0xc000, p);
+ 	}
+       else
+-	*p++ = 0;
++	{
++	  CHECK_LIMIT(1);
++	  *p++ = 0;
++	}
+     }
+ 
++  /* type (2) + class (2) + ttl (4) + rdlen (2) */
++  CHECK_LIMIT(10);
++  
+   PUTSHORT(type, p);
+   PUTSHORT(class, p);
+   PUTLONG(ttl, p);      /* TTL */
+-- 
+2.7.4
+