From 35c602043d8f776c6fa0f8489bcbfc6d5fd3e94d Mon Sep 17 00:00:00 2001 From: Petr Menšík Date: Oct 03 2017 11:53:42 +0000 Subject: More patches related to CVE-2017-14491 Signed-off-by: Petr Menšík --- diff --git a/dnsmasq-2.77-arcount.patch b/dnsmasq-2.77-arcount.patch new file mode 100644 index 0000000..e6bf0d7 --- /dev/null +++ b/dnsmasq-2.77-arcount.patch @@ -0,0 +1,44 @@ +From a3303e196e5d304ec955c4d63afb923ade66c6e8 Mon Sep 17 00:00:00 2001 +From: Simon Kelley +Date: Thu, 7 Sep 2017 20:45:00 +0100 +Subject: [PATCH] Don't return arcount=1 if EDNS0 RR won't fit in the packet. + +Omitting the EDNS0 RR but setting arcount gives a malformed packet. +Also, don't accept UDP packet size less than 512 in recieved EDNS0. +--- + src/edns0.c | 5 ++++- + src/forward.c | 2 ++ + 2 files changed, 6 insertions(+), 1 deletion(-) + +diff --git a/src/edns0.c b/src/edns0.c +index 3fde17f..f5b798c 100644 +--- a/src/edns0.c ++++ b/src/edns0.c +@@ -208,7 +208,10 @@ size_t add_pseudoheader(struct dns_header *header, size_t plen, unsigned char *l + free(buff); + p += rdlen; + } +- header->arcount = htons(ntohs(header->arcount) + 1); ++ ++ /* Only bump arcount if RR is going to fit */ ++ if (((ssize_t)optlen) <= (limit - (p + 4))) ++ header->arcount = htons(ntohs(header->arcount) + 1); + } + + if (((ssize_t)optlen) > (limit - (p + 4))) +diff --git a/src/forward.c b/src/forward.c +index e3fa94b..942b02d 100644 +--- a/src/forward.c ++++ b/src/forward.c +@@ -1412,6 +1412,8 @@ void receive_query(struct listener *listen, time_t now) + defaults to 512 */ + if (udp_size > daemon->edns_pktsz) + udp_size = daemon->edns_pktsz; ++ else if (udp_size < PACKETSZ) ++ udp_size = PACKETSZ; /* Sanity check - can't reduce below default. RFC 6891 6.2.3 */ + } + + #ifdef HAVE_AUTH +-- +2.9.5 + diff --git a/dnsmasq-2.77-underflow.patch b/dnsmasq-2.77-underflow.patch new file mode 100644 index 0000000..918c296 --- /dev/null +++ b/dnsmasq-2.77-underflow.patch @@ -0,0 +1,74 @@ +From 9d2757b9714523b53ed487b57e740f1b5beb4e0b Mon Sep 17 00:00:00 2001 +From: Doran Moppert +Date: Tue, 26 Sep 2017 14:48:20 +0930 +Subject: [PATCH] google patch hand-applied + +--- + src/edns0.c | 10 +++++----- + src/forward.c | 4 ++++ + src/rfc1035.c | 6 ++++-- + 3 files changed, 13 insertions(+), 7 deletions(-) + +diff --git a/src/edns0.c b/src/edns0.c +index 9c6dbcb..268fbe7 100644 +--- a/src/edns0.c ++++ b/src/edns0.c +@@ -212,11 +212,11 @@ size_t add_pseudoheader(struct dns_header *header, size_t plen, unsigned char *l + /* Copy back any options */ + if (buff) + { +- if (p + rdlen > limit) +- { +- free(buff); +- return plen; /* Too big */ +- } ++ if (p + rdlen > limit) ++ { ++ free(buff); ++ return plen; /* Too big */ ++ } + memcpy(p, buff, rdlen); + free(buff); + p += rdlen; +diff --git a/src/forward.c b/src/forward.c +index d1962be..6b9c16e 100644 +--- a/src/forward.c ++++ b/src/forward.c +@@ -1417,6 +1417,10 @@ void receive_query(struct listener *listen, time_t now) + udp_size = PACKETSZ; /* Sanity check - can't reduce below default. RFC 6891 6.2.3 */ + } + ++ // Make sure the udp size is not smaller than the incoming message so that we ++ // do not underflow ++ if (udp_size < n) udp_size = n; ++ + #ifdef HAVE_AUTH + if (auth_dns) + { +diff --git a/src/rfc1035.c b/src/rfc1035.c +index 0bf3bcc..3513455 100644 +--- a/src/rfc1035.c ++++ b/src/rfc1035.c +@@ -1198,8 +1198,8 @@ int add_resource_record(struct dns_header *header, char *limit, int *truncp, int + va_end(ap); /* clean up variable argument pointer */ + + j = p - sav - 2; +- /* this has already been checked against limit before */ +- PUTSHORT(j, sav); /* Now, store real RDLength */ ++ /* this has already been checked against limit before */ ++ PUTSHORT(j, sav); /* Now, store real RDLength */ + + /* check for overflow of buffer */ + if (limit && ((unsigned char *)limit - p) < 0) +@@ -1259,6 +1259,8 @@ size_t answer_request(struct dns_header *header, char *limit, size_t qlen, + int nxdomain = 0, auth = 1, trunc = 0, sec_data = 1; + struct mx_srv_record *rec; + size_t len; ++ // Make sure we do not underflow here too. ++ if (qlen > (limit - ((char *)header))) return 0; + + if (ntohs(header->ancount) != 0 || + ntohs(header->nscount) != 0 || +-- +2.9.5 + diff --git a/dnsmasq.spec b/dnsmasq.spec index 7e861f3..ec4e468 100644 --- a/dnsmasq.spec +++ b/dnsmasq.spec @@ -13,7 +13,7 @@ Name: dnsmasq Version: 2.77 -Release: 8%{?extraversion:.%{extraversion}}%{?dist} +Release: 9%{?extraversion:.%{extraversion}}%{?dist} Summary: A lightweight DHCP/caching DNS server Group: System Environment/Daemons @@ -32,6 +32,8 @@ Patch7: dnsmasq-2.77-CVE-2017-14495.patch Patch8: dnsmasq-2.77-misc-cleanups.patch Patch9: dnsmasq-2.77-CVE-2017-14491-2.patch Patch10: dnsmasq-2.77-stdio.h.patch +Patch11: dnsmasq-2.77-arcount.patch +Patch12: dnsmasq-2.77-underflow.patch BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) @@ -76,6 +78,8 @@ query/remove a DHCP server's leases. %patch8 -p1 -b .misc-cleanups %patch9 -p1 -b .CVE-2017-14491-2 %patch10 -p1 -b .stdio.h +%patch11 -p1 -b .arcount +%patch12 -p1 -b .underflow # use /var/lib/dnsmasq instead of /var/lib/misc for file in dnsmasq.conf.example man/dnsmasq.8 man/es/dnsmasq.8 src/config.h; do @@ -162,6 +166,9 @@ rm -rf $RPM_BUILD_ROOT %{_mandir}/man1/dhcp_* %changelog +* Tue Oct 03 2017 Petr Menšík - 2.77-9 +- More patches related to CVE-2017-14491 + * Mon Oct 02 2017 Petr Menšík - 2.77-8 - Security fix, CVE-2017-14491, DNS heap buffer overflow - Security fix, CVE-2017-14492, DHCPv6 RA heap overflow