]>
Commit | Line | Data |
---|---|---|
bbe4537d MF |
1 | From 5d07d77e75e0f02bc0a8f6029ffbc8b371fa804e Mon Sep 17 00:00:00 2001 |
2 | From: Simon Kelley <simon@thekelleys.org.uk> | |
3 | Date: Fri, 15 May 2015 18:13:06 +0100 | |
4 | Subject: [PATCH] Fix buffer overflow introduced in 2.73rc6. | |
5 | ||
6 | Fix off-by-one in code which checks for over-long domain names | |
7 | in received DNS packets. This enables buffer overflow attacks | |
8 | which can certainly crash dnsmasq and may allow for arbitrary | |
9 | code execution. The problem was introduced in commit b8f16556d, | |
10 | release 2.73rc6, so has not escaped into any stable release. | |
11 | Note that the off-by-one was in the label length determination, | |
12 | so the buffer can be overflowed by as many bytes as there are | |
13 | labels in the name - ie, many. | |
14 | ||
15 | Thanks to Ron Bowes, who used lcmatuf's afl-fuzz tool to find | |
16 | the problem. | |
17 | --- | |
18 | src/rfc1035.c | 8 ++++---- | |
19 | 1 file changed, 4 insertions(+), 4 deletions(-) | |
20 | ||
21 | diff --git a/src/rfc1035.c b/src/rfc1035.c | |
22 | index 5e3f566..a95241f 100644 | |
23 | --- a/src/rfc1035.c | |
24 | +++ b/src/rfc1035.c | |
25 | @@ -94,8 +94,8 @@ int extract_name(struct dns_header *header, size_t plen, unsigned char **pp, | |
26 | count = 256; | |
27 | digs = ((count-1)>>2)+1; | |
28 | ||
29 | - /* output is \[x<hex>/siz]. which is digs+6/7/8 chars */ | |
30 | - namelen += digs+6; | |
31 | + /* output is \[x<hex>/siz]. which is digs+7/8/9 chars */ | |
32 | + namelen += digs+7; | |
33 | if (count > 9) | |
34 | namelen++; | |
35 | if (count > 99) | |
36 | @@ -125,8 +125,8 @@ int extract_name(struct dns_header *header, size_t plen, unsigned char **pp, | |
37 | } | |
38 | else | |
39 | { /* label_type = 0 -> label. */ | |
40 | - namelen += l; | |
41 | - if (namelen+1 >= MAXDNAME) | |
42 | + namelen += l + 1; /* include period */ | |
43 | + if (namelen >= MAXDNAME) | |
44 | return 0; | |
45 | if (!CHECK_LEN(header, p, plen, l)) | |
46 | return 0; | |
47 | -- | |
48 | 1.7.10.4 | |
49 |