On Tue, Aug 29, 2017 at 3:29 PM, Kevin Darbyshire-Bryant <ke...@darbyshire-bryant.me.uk> wrote: > Fix SIGSEGV in rfc1035.c answer_request() line 1228 where memset() > is called with header & limit pointing at the same address and thus > tries to clear memory from before the buffer begins. > > answer_request() is called with an invalid edns packet size provided by > the client. Ensure the udp_size provided by the client is bounded by > 512 and configured maximum as per RFC 6891 6.2.3 "Values lower than 512 > MUST be treated as equal to 512" > > The client that exposed the problem provided a payload udp size of 0. > > Signed-off-by: Kevin Darbyshire-Bryant <ke...@darbyshire-bryant.me.uk> Acked-by: Hans Dedecker <dedec...@gmail.com> > --- > package/network/services/dnsmasq/Makefile | 2 +- > .../dnsmasq/patches/020-fix-CVE-2017-13704.patch | 37 > ++++++++++++++++++++++ > 2 files changed, 38 insertions(+), 1 deletion(-) > create mode 100644 > package/network/services/dnsmasq/patches/020-fix-CVE-2017-13704.patch > > diff --git a/package/network/services/dnsmasq/Makefile > b/package/network/services/dnsmasq/Makefile > index d7f14f9..bd7f610 100644 > --- a/package/network/services/dnsmasq/Makefile > +++ b/package/network/services/dnsmasq/Makefile > @@ -9,7 +9,7 @@ include $(TOPDIR)/rules.mk > > PKG_NAME:=dnsmasq > PKG_VERSION:=2.77 > -PKG_RELEASE:=9 > +PKG_RELEASE:=10 > > PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.xz > PKG_SOURCE_URL:=http://thekelleys.org.uk/dnsmasq/ > diff --git > a/package/network/services/dnsmasq/patches/025-fix-CVE-2017-13704.patch > b/package/network/services/dnsmasq/patches/025-fix-CVE-2017-13704.patch > new file mode 100644 > index 0000000..8848131 > --- /dev/null > +++ b/package/network/services/dnsmasq/patches/025-fix-CVE-2017-13704.patch > @@ -0,0 +1,37 @@ > +From 38af9b1ac3242a4128e88069c495024caa565f0e Mon Sep 17 00:00:00 2001 > +From: Kevin Darbyshire-Bryant <ke...@darbyshire-bryant.me.uk> > +Date: Tue, 29 Aug 2017 12:35:40 +0100 > +Subject: [PATCH] forward.c: fix CVE-2017-13704 > + > +Fix SIGSEGV in rfc1035.c answer_request() line 1228 where memset() > +is called with header & limit pointing at the same address and thus > +tries to clear memory from before the buffer begins. > + > +answer_request() is called with an invalid edns packet size provided by > +the client. Ensure the udp_size provided by the client is bounded by > +512 and configured maximum as per RFC 6891 6.2.3 "Values lower than 512 > +MUST be treated as equal to 512" > + > +The client that exposed the problem provided a payload udp size of 0. > + > +Signed-off-by: Kevin Darbyshire-Bryant <ke...@darbyshire-bryant.me.uk> > +--- > + src/forward.c | 2 ++ > + 1 file changed, 2 insertions(+) > + > +diff --git a/src/forward.c b/src/forward.c > +index f22556a..62c5a5a 100644 > +--- a/src/forward.c > ++++ b/src/forward.c > +@@ -1408,6 +1408,8 @@ void receive_query(struct listener *listen, time_t now) > + defaults to 512 */ > + if (udp_size > daemon->edns_pktsz) > + udp_size = daemon->edns_pktsz; > ++ if (udp_size < 512) > ++ udp_size = 512; /* RFC 6891 6.2.3 */ > + } > + > + #ifdef HAVE_AUTH > +-- > +2.7.4 > + > -- > 2.7.4 > > > _______________________________________________ > Lede-dev mailing list > Lede-dev@lists.infradead.org > http://lists.infradead.org/mailman/listinfo/lede-dev
_______________________________________________ Lede-dev mailing list Lede-dev@lists.infradead.org http://lists.infradead.org/mailman/listinfo/lede-dev