[OpenWrt-Devel] [PATCH 14.07][RFC] dnsmasq: backport CVE-2015-3294 security fix

Rafał Miłecki zajec5 at gmail.com
Sat Aug 29 19:49:41 EDT 2015 

Upstream release 2.73 included CVE-2015-3294 fix, let's backport patch
fixing this security issue.
This avoids bumpping version to 2.73 which introduced many new features.
This way we keep dnsmasq safe and don't risk new problems.

Signed-off-by: Rafał Miłecki <zajec5 at gmail.com>
---
This was compile-tested only so far. If noone objects, I'll test it on
brcm47xx and then push.
---
 .../patches/003-Fix-crash-on-receipt-of-certa      | 37 ++++++++++++++++++++++
 1 file changed, 37 insertions(+)
 create mode 100644 package/network/services/dnsmasq/patches/003-Fix-crash-on-receipt-of-certa

diff --git a/package/network/services/dnsmasq/patches/003-Fix-crash-on-receipt-of-certa b/package/network/services/dnsmasq/patches/003-Fix-crash-on-receipt-of-certa
new file mode 100644
index 0000000..eb3075d
--- /dev/null
+++ b/package/network/services/dnsmasq/patches/003-Fix-crash-on-receipt-of-certa
@@ -0,0 +1,37 @@
+From: Simon Kelley <simon at thekelleys.org.uk>
+Date: Thu, 9 Apr 2015 21:48:00 +0100
+Subject: [PATCH] Fix crash on receipt of certain malformed DNS requests.
+
+---
+--- a/src/rfc1035.c
++++ b/src/rfc1035.c
+@@ -1198,7 +1198,10 @@ unsigned int extract_request(struct dns_header *header, size_t qlen, char *name,
+ size_t setup_reply(struct dns_header *header, size_t qlen,
+ 		struct all_addr *addrp, unsigned int flags, unsigned long ttl)
+ {
+-  unsigned char *p = skip_questions(header, qlen);
++  unsigned char *p;
++
++  if (!(p = skip_questions(header, qlen)))
++    return 0;
+   
+   /* clear authoritative and truncated flags, set QR flag */
+   header->hb3 = (header->hb3 & ~(HB3_AA | HB3_TC)) | HB3_QR;
+@@ -1214,7 +1217,7 @@ size_t setup_reply(struct dns_header *header, size_t qlen,
+     SET_RCODE(header, NOERROR); /* empty domain */
+   else if (flags == F_NXDOMAIN)
+     SET_RCODE(header, NXDOMAIN);
+-  else if (p && flags == F_IPV4)
++  else if (flags == F_IPV4)
+     { /* we know the address */
+       SET_RCODE(header, NOERROR);
+       header->ancount = htons(1);
+@@ -1222,7 +1225,7 @@ size_t setup_reply(struct dns_header *header, size_t qlen,
+       add_resource_record(header, NULL, NULL, sizeof(struct dns_header), &p, ttl, NULL, T_A, C_IN, "4", addrp);
+     }
+ #ifdef HAVE_IPV6
+-  else if (p && flags == F_IPV6)
++  else if (flags == F_IPV6)
+     {
+       SET_RCODE(header, NOERROR);
+       header->ancount = htons(1);
-- 
1.8.4.5
_______________________________________________
openwrt-devel mailing list
openwrt-devel at lists.openwrt.org
https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel

More information about the openwrt-devel mailing list