[ipfire-2.x.git] / src / patches / dnsmasq / 0095-Fix-buffer-overflow-introduced-in-2.73rc6.patch

From 5d07d77e75e0f02bc0a8f6029ffbc8b371fa804e Mon Sep 17 00:00:00 2001
From: Simon Kelley <simon@thekelleys.org.uk>
Date: Fri, 15 May 2015 18:13:06 +0100
Subject: [PATCH 095/113] Fix buffer overflow introduced in 2.73rc6.

Fix off-by-one in code which checks for over-long domain names
in received DNS packets. This enables buffer overflow attacks
which can certainly crash dnsmasq and may allow for arbitrary
code execution. The problem was introduced in commit b8f16556d,
release 2.73rc6, so has not escaped into any stable release.
Note that the off-by-one was in the label length determination,
so the buffer can be overflowed by as many bytes as there are
labels in the name - ie, many.

Thanks to Ron Bowes, who used lcmatuf's afl-fuzz tool to find
the problem.
---
 src/rfc1035.c | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/src/rfc1035.c b/src/rfc1035.c
index 5e3f566fdbc5..a95241f83523 100644
--- a/src/rfc1035.c
+++ b/src/rfc1035.c
@@ -94,8 +94,8 @@ int extract_name(struct dns_header *header, size_t plen, unsigned char **pp,
 	    count = 256;
 	  digs = ((count-1)>>2)+1;
 	  
-	  /* output is \[x<hex>/siz]. which is digs+6/7/8 chars */
-	  namelen += digs+6;
+	  /* output is \[x<hex>/siz]. which is digs+7/8/9 chars */
+	  namelen += digs+7;
 	  if (count > 9)
 	    namelen++;
 	  if (count > 99)
@@ -125,8 +125,8 @@ int extract_name(struct dns_header *header, size_t plen, unsigned char **pp,
 	}
       else 
 	{ /* label_type = 0 -> label. */
-	  namelen += l;
-	  if (namelen+1 >= MAXDNAME)
+	  namelen += l + 1; /* include period */
+	  if (namelen >= MAXDNAME)
 	    return 0;
 	  if (!CHECK_LEN(header, p, plen, l))
 	    return 0;
-- 
2.1.0
Commit	Line	Data
efbd3a9a MT	1	From 5d07d77e75e0f02bc0a8f6029ffbc8b371fa804e Mon Sep 17 00:00:00 2001
	2	From: Simon Kelley <simon@thekelleys.org.uk>
	3	Date: Fri, 15 May 2015 18:13:06 +0100
697b4f04	4	Subject: [PATCH 095/113] Fix buffer overflow introduced in 2.73rc6.
efbd3a9a MT	5
	6	Fix off-by-one in code which checks for over-long domain names
	7	in received DNS packets. This enables buffer overflow attacks
	8	which can certainly crash dnsmasq and may allow for arbitrary
	9	code execution. The problem was introduced in commit b8f16556d,
	10	release 2.73rc6, so has not escaped into any stable release.
	11	Note that the off-by-one was in the label length determination,
	12	so the buffer can be overflowed by as many bytes as there are
	13	labels in the name - ie, many.
	14
	15	Thanks to Ron Bowes, who used lcmatuf's afl-fuzz tool to find
	16	the problem.
	17	---
	18	src/rfc1035.c \| 8 ++++----
	19	1 file changed, 4 insertions(+), 4 deletions(-)
	20
	21	diff --git a/src/rfc1035.c b/src/rfc1035.c
	22	index 5e3f566fdbc5..a95241f83523 100644
	23	--- a/src/rfc1035.c
	24	+++ b/src/rfc1035.c
	25	@@ -94,8 +94,8 @@ int extract_name(struct dns_header header, size_t plen, unsigned char *pp,
	26	count = 256;
	27	digs = ((count-1)>>2)+1;
	28
	29	- /* output is \[x<hex>/siz]. which is digs+6/7/8 chars */
	30	- namelen += digs+6;
	31	+ /* output is \[x<hex>/siz]. which is digs+7/8/9 chars */
	32	+ namelen += digs+7;
	33	if (count > 9)
	34	namelen++;
	35	if (count > 99)
	36	@@ -125,8 +125,8 @@ int extract_name(struct dns_header header, size_t plen, unsigned char *pp,
	37	}
	38	else
	39	{ /* label_type = 0 -> label. */
	40	- namelen += l;
	41	- if (namelen+1 >= MAXDNAME)
	42	+ namelen += l + 1; /* include period */
	43	+ if (namelen >= MAXDNAME)
	44	return 0;
	45	if (!CHECK_LEN(header, p, plen, l))
	46	return 0;
	47	--
	48	2.1.0
	49