$(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
@$(PREBUILD)
@rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar axf $(DIR_DL)/$(DL_FILE)
+ cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/dnsmasq/001-Calculate_length_of_TFTP_error_reply_correctly.patch
+ cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/dnsmasq/002-Zero_newly_malloc_ed_memory.patch
+ cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/dnsmasq/003-Check_return_of_expand_always.patch
cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/dnsmasq-Add-support-to-read-ISC-DHCP-lease-file.patch
cd $(DIR_APP) && sed -i src/config.h \
--- /dev/null
+From 294d36df4749e01199ab220d44c170e7db2b0c05 Mon Sep 17 00:00:00 2001
+From: Simon Kelley <simon@thekelleys.org.uk>
+Date: Wed, 6 Jul 2016 21:30:25 +0100
+Subject: [PATCH] Calculate length of TFTP error reply correctly.
+
+---
+ CHANGELOG | 14 ++++++++++++++
+ src/tftp.c | 7 +++++--
+ 2 files changed, 19 insertions(+), 2 deletions(-)
+
+diff --git a/CHANGELOG b/CHANGELOG
+index 04ff3f0..0559a6f 100644
+--- a/CHANGELOG
++++ b/CHANGELOG
+@@ -1,3 +1,17 @@
++version 2.77
++ Calculate the length of TFTP error reply packet
++ correctly. This fixes a problem when the error
++ message in a TFTP packet exceeds the arbitrary
++ limit of 500 characters. The message was correctly
++ truncated, but not the packet length, so
++ extra data was appended. This is a possible
++ security risk, since the extra data comes from
++ a buffer which is also used for DNS, so that
++ previous DNS queries or replies may be leaked.
++ Thanks to Mozilla for funding the security audit
++ which spotted this bug.
++
++
+ version 2.76
+ Include 0.0.0.0/8 in DNS rebind checks. This range
+ translates to hosts on the local network, or, at
+diff --git a/src/tftp.c b/src/tftp.c
+index 5e4a32a..3e1b5c5 100644
+--- a/src/tftp.c
++++ b/src/tftp.c
+@@ -652,20 +652,23 @@ static void sanitise(char *buf)
+
+ }
+
++#define MAXMESSAGE 500 /* limit to make packet < 512 bytes and definitely smaller than buffer */
+ static ssize_t tftp_err(int err, char *packet, char *message, char *file)
+ {
+ struct errmess {
+ unsigned short op, err;
+ char message[];
+ } *mess = (struct errmess *)packet;
+- ssize_t ret = 4;
++ ssize_t len, ret = 4;
+ char *errstr = strerror(errno);
+
+ sanitise(file);
+
+ mess->op = htons(OP_ERR);
+ mess->err = htons(err);
+- ret += (snprintf(mess->message, 500, message, file, errstr) + 1);
++ len = snprintf(mess->message, MAXMESSAGE, message, file, errstr);
++ ret += (len < MAXMESSAGE) ? len + 1 : MAXMESSAGE; /* include terminating zero */
++
+ my_syslog(MS_TFTP | LOG_ERR, "%s", mess->message);
+
+ return ret;
+--
+1.7.10.4
+
--- /dev/null
+From d55f81f5fd53b1dfc2c4b3249b542f2d9679e236 Mon Sep 17 00:00:00 2001
+From: Simon Kelley <simon@thekelleys.org.uk>
+Date: Wed, 6 Jul 2016 21:33:56 +0100
+Subject: [PATCH] Zero newly malloc'ed memory.
+
+---
+ src/util.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/src/util.c b/src/util.c
+index 93b24f5..82443c9 100644
+--- a/src/util.c
++++ b/src/util.c
+@@ -248,6 +248,8 @@ void *safe_malloc(size_t size)
+
+ if (!ret)
+ die(_("could not get memory"), NULL, EC_NOMEM);
++ else
++ memset(ret, 0, size);
+
+ return ret;
+ }
+@@ -266,7 +268,9 @@ void *whine_malloc(size_t size)
+
+ if (!ret)
+ my_syslog(LOG_ERR, _("failed to allocate %d bytes"), (int) size);
+-
++ else
++ memset(ret, 0, size);
++
+ return ret;
+ }
+
+--
+1.7.10.4
+
--- /dev/null
+From ce7845bf5429bd2962c9b2e7d75e2659f3b5c1a8 Mon Sep 17 00:00:00 2001
+From: Simon Kelley <simon@thekelleys.org.uk>
+Date: Wed, 6 Jul 2016 21:42:27 +0100
+Subject: [PATCH] Check return of expand() always.
+
+---
+ src/radv.c | 4 +++-
+ src/slaac.c | 5 ++++-
+ 2 files changed, 7 insertions(+), 2 deletions(-)
+
+diff --git a/src/radv.c b/src/radv.c
+index 749b666..faa0f6d 100644
+--- a/src/radv.c
++++ b/src/radv.c
+@@ -262,7 +262,9 @@ static void send_ra_alias(time_t now, int iface, char *iface_name, struct in6_ad
+ parm.prio = calc_prio(ra_param);
+
+ save_counter(0);
+- ra = expand(sizeof(struct ra_packet));
++
++ if (!(ra = expand(sizeof(struct ra_packet))))
++ return;
+
+ ra->type = ND_ROUTER_ADVERT;
+ ra->code = 0;
+diff --git a/src/slaac.c b/src/slaac.c
+index 8034805..07b8ba4 100644
+--- a/src/slaac.c
++++ b/src/slaac.c
+@@ -147,7 +147,10 @@ time_t periodic_slaac(time_t now, struct dhcp_lease *leases)
+ struct sockaddr_in6 addr;
+
+ save_counter(0);
+- ping = expand(sizeof(struct ping_packet));
++
++ if (!(ping = expand(sizeof(struct ping_packet))))
++ continue;
++
+ ping->type = ICMP6_ECHO_REQUEST;
+ ping->code = 0;
+ ping->identifier = ping_id;
+--
+1.7.10.4
+
projects / people / amarx / ipfire-2.x.git / commitdiff
