1 From 5d07d77e75e0f02bc0a8f6029ffbc8b371fa804e Mon Sep 17 00:00:00 2001
2 From: Simon Kelley <simon@thekelleys.org.uk>
3 Date: Fri, 15 May 2015 18:13:06 +0100
4 Subject: [PATCH] Fix buffer overflow introduced in 2.73rc6.
6 Fix off-by-one in code which checks for over-long domain names
7 in received DNS packets. This enables buffer overflow attacks
8 which can certainly crash dnsmasq and may allow for arbitrary
9 code execution. The problem was introduced in commit b8f16556d,
10 release 2.73rc6, so has not escaped into any stable release.
11 Note that the off-by-one was in the label length determination,
12 so the buffer can be overflowed by as many bytes as there are
13 labels in the name - ie, many.
15 Thanks to Ron Bowes, who used lcmatuf's afl-fuzz tool to find
18 src/rfc1035.c | 8 ++++----
19 1 file changed, 4 insertions(+), 4 deletions(-)
21 diff --git a/src/rfc1035.c b/src/rfc1035.c
22 index 5e3f566..a95241f 100644
25 @@ -94,8 +94,8 @@ int extract_name(struct dns_header *header, size_t plen, unsigned char **pp,
27 digs = ((count-1)>>2)+1;
29 - /* output is \[x<hex>/siz]. which is digs+6/7/8 chars */
31 + /* output is \[x<hex>/siz]. which is digs+7/8/9 chars */
36 @@ -125,8 +125,8 @@ int extract_name(struct dns_header *header, size_t plen, unsigned char **pp,
39 { /* label_type = 0 -> label. */
41 - if (namelen+1 >= MAXDNAME)
42 + namelen += l + 1; /* include period */
43 + if (namelen >= MAXDNAME)
45 if (!CHECK_LEN(header, p, plen, l))