[{"id":1759753,"web_url":"http://patchwork.ozlabs.org/comment/1759753/","msgid":"","list_archive_url":null,"date":"2017-08-29T21:01:31","subject":"Re: [LEDE-DEV] [PATCH] dnsmasq: forward.c: fix CVE-2017-13704","submitter":{"id":65331,"url":"http://patchwork.ozlabs.org/api/people/65331/","name":"Hans Dedecker","email":"dedeckeh@gmail.com"},"content":"On Tue, Aug 29, 2017 at 3:29 PM, Kevin Darbyshire-Bryant\n wrote:\n> Fix SIGSEGV in rfc1035.c answer_request() line 1228 where memset()\n> is called with header & limit pointing at the same address and thus\n> tries to clear memory from before the buffer begins.\n>\n> answer_request() is called with an invalid edns packet size provided by\n> the client. Ensure the udp_size provided by the client is bounded by\n> 512 and configured maximum as per RFC 6891 6.2.3 \"Values lower than 512\n> MUST be treated as equal to 512\"\n>\n> The client that exposed the problem provided a payload udp size of 0.\n>\n> Signed-off-by: Kevin Darbyshire-Bryant \nAcked-by: Hans Dedecker \n> ---\n> package/network/services/dnsmasq/Makefile | 2 +-\n> .../dnsmasq/patches/020-fix-CVE-2017-13704.patch | 37 ++++++++++++++++++++++\n> 2 files changed, 38 insertions(+), 1 deletion(-)\n> create mode 100644 package/network/services/dnsmasq/patches/020-fix-CVE-2017-13704.patch\n>\n> diff --git a/package/network/services/dnsmasq/Makefile b/package/network/services/dnsmasq/Makefile\n> index d7f14f9..bd7f610 100644\n> --- a/package/network/services/dnsmasq/Makefile\n> +++ b/package/network/services/dnsmasq/Makefile\n> @@ -9,7 +9,7 @@ include $(TOPDIR)/rules.mk\n>\n> PKG_NAME:=dnsmasq\n> PKG_VERSION:=2.77\n> -PKG_RELEASE:=9\n> +PKG_RELEASE:=10\n>\n> PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.xz\n> PKG_SOURCE_URL:=http://thekelleys.org.uk/dnsmasq/\n> diff --git a/package/network/services/dnsmasq/patches/025-fix-CVE-2017-13704.patch b/package/network/services/dnsmasq/patches/025-fix-CVE-2017-13704.patch\n> new file mode 100644\n> index 0000000..8848131\n> --- /dev/null\n> +++ b/package/network/services/dnsmasq/patches/025-fix-CVE-2017-13704.patch\n> @@ -0,0 +1,37 @@\n> +From 38af9b1ac3242a4128e88069c495024caa565f0e Mon Sep 17 00:00:00 2001\n> +From: Kevin Darbyshire-Bryant \n> +Date: Tue, 29 Aug 2017 12:35:40 +0100\n> +Subject: [PATCH] forward.c: fix CVE-2017-13704\n> +\n> +Fix SIGSEGV in rfc1035.c answer_request() line 1228 where memset()\n> +is called with header & limit pointing at the same address and thus\n> +tries to clear memory from before the buffer begins.\n> +\n> +answer_request() is called with an invalid edns packet size provided by\n> +the client. Ensure the udp_size provided by the client is bounded by\n> +512 and configured maximum as per RFC 6891 6.2.3 \"Values lower than 512\n> +MUST be treated as equal to 512\"\n> +\n> +The client that exposed the problem provided a payload udp size of 0.\n> +\n> +Signed-off-by: Kevin Darbyshire-Bryant \n> +---\n> + src/forward.c | 2 ++\n> + 1 file changed, 2 insertions(+)\n> +\n> +diff --git a/src/forward.c b/src/forward.c\n> +index f22556a..62c5a5a 100644\n> +--- a/src/forward.c\n> ++++ b/src/forward.c\n> +@@ -1408,6 +1408,8 @@ void receive_query(struct listener *listen, time_t now)\n> + defaults to 512 */\n> + if (udp_size > daemon->edns_pktsz)\n> + udp_size = daemon->edns_pktsz;\n> ++ if (udp_size < 512)\n> ++ udp_size = 512; /* RFC 6891 6.2.3 */\n> + }\n> +\n> + #ifdef HAVE_AUTH\n> +--\n> +2.7.4\n> +\n> --\n> 2.7.4\n>\n>\n> _______________________________________________\n> Lede-dev mailing list\n> Lede-dev@lists.infradead.org\n> http://lists.infradead.org/mailman/listinfo/lede-dev","headers":{"Return-Path":"","X-Original-To":"incoming@patchwork.ozlabs.org","Delivered-To":"patchwork-incoming@bilbo.ozlabs.org","Authentication-Results":["ozlabs.org; spf=none (mailfrom)\n\tsmtp.mailfrom=lists.infradead.org (client-ip=65.50.211.133;\n\thelo=bombadil.infradead.org;\n\tenvelope-from=lede-dev-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org;\n\treceiver=)","ozlabs.org; dkim=pass (2048-bit key;\n\tunprotected) header.d=lists.infradead.org\n\theader.i=@lists.infradead.org header.b=\"ZpmaLQtU\"; \n\tdkim=fail reason=\"signature verification failed\" (2048-bit key;\n\tunprotected) header.d=gmail.com header.i=@gmail.com\n\theader.b=\"d1yHrXKK\"; dkim-atps=neutral"],"Received":["from bombadil.infradead.org (bombadil.infradead.org\n\t[65.50.211.133])\n\t(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256\n\tbits)) (No client certificate requested)\n\tby ozlabs.org (Postfix) with ESMTPS id 3xhkLZ3dlNz9sP5\n\tfor ;\n\tWed, 30 Aug 2017 08:48:06 +1000 (AEST)","from localhost ([127.0.0.1] helo=bombadil.infradead.org)\n\tby bombadil.infradead.org with esmtp (Exim 4.87 #1 (Red Hat Linux))\n\tid 1dmpIL-0006O8-3Q; Tue, 29 Aug 2017 22:47:42 +0000","from mail-pf0-x229.google.com ([2607:f8b0:400e:c00::229])\n\tby bombadil.infradead.org with esmtps (Exim 4.87 #1 (Red Hat Linux))\n\tid 1dmpHv-0006N3-Tw\n\tfor lede-dev@lists.infradead.org; Tue, 29 Aug 2017 22:47:17 +0000","by mail-pf0-x229.google.com with SMTP id l87so4313514pfj.1\n\tfor ;\n\tTue, 29 Aug 2017 15:46:55 -0700 (PDT)","by 10.100.154.66 with HTTP; Tue, 29 Aug 2017 14:01:31 -0700 (PDT)"],"DKIM-Signature":["v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;\n\td=lists.infradead.org; s=bombadil.20170209; h=Sender:\n\tContent-Transfer-Encoding:Content-Type:Cc:List-Subscribe:List-Help:List-Post:\n\tList-Archive:List-Unsubscribe:List-Id:Subject:To:Message-ID:Date:From:\n\tReferences:In-Reply-To:MIME-Version:Reply-To:Content-ID:Content-Description:\n\tResent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:\n\tList-Owner; bh=zqOfqvsWq0qo4P6YHcmUA4kl64sSko/vpyo0PBCSFEE=;\n\tb=ZpmaLQtU7cFkpv\n\tf0rQCZWj/BwR1WX+w+0nwZ1cqKzZg2gdmj1cTug+MNTxzQIGFdXn8pyBmZ3EPoC7PwreYBKjYJNbo\n\toCR3l7XbMIPiE76AK/gqVyqXGe60FOj9Dk8O38YSl5X2eRZpxZsBQUuaKrMdZh47bjs9ABZOPAiKT\n\tVTPl36LEuu3UZOzizt0i9pT0NbJsCaN1l+wCO6uVC/KjHHHUyERR/IyFpXEhQJjcZ7Xd4iThcnLF+\n\tUvlrBwGCQPDqVz0UoqcyGRkQsIOFO4xhttHowHfCJLjzJN2u3MxP6atp+MegJWpr4FuOm+AsyJ5G1\n\tTQfqc0U+lv5Qtddya8YQ==;","v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025;\n\th=mime-version:in-reply-to:references:from:date:message-id:subject:to\n\t:cc; bh=ILJNOkPotoTl3eRA07PK0WcyRAMXuAI7iahMD9X5YWk=;\n\tb=d1yHrXKKfJuBgppy97qWN53sJmCV6CO7wuOcO6atAsk4NpMT1hqcdlRF59XELA+TZG\n\t39dEqn8rpg2O75SpwYHQftFZLZZ1PBw1JVG4y+cUwgtb97qVoZYEq7Sjvz1lmRE9RtjZ\n\t31+T7rJiIK3I7AJNJjSHgi7oWmmm01hy3LE14KtbvuLuH4ZJhpLCSXJ/2ti52bGt0N62\n\tUQ2RbB4CYY4WPVJtpitM6oks0vjGyA41w+1mRTmbFPEfVfiQaqSc2iExWz20DrJaDu/t\n\tSondWni+3T9L0IWrm3Y3fUnSW8WBwLWVds34uqkYDyJ/xWBNNM4H6FZZ4058v6wa4IsN\n\teaiA=="],"X-Google-DKIM-Signature":"v=1; a=rsa-sha256; c=relaxed/relaxed;\n\td=1e100.net; s=20161025;\n\th=x-gm-message-state:mime-version:in-reply-to:references:from:date\n\t:message-id:subject:to:cc;\n\tbh=ILJNOkPotoTl3eRA07PK0WcyRAMXuAI7iahMD9X5YWk=;\n\tb=WS6z7Op3rM89eE0Lui3mxOsjzq0oRz6UBi+KLVlKDXbFjp4doN3QrfHV581/Ca0WW9\n\tXV4KkyT5qQF8ND1W0aKWxSSgZHnvZ2v+vgpk+6xEQIvypabFe6xaewBPr9KmARTHiKD/\n\taWJvPvhG8BmT0oT8FY2z6MhhJTUmpYllIsWij15W+BbhHrkGKX6cCAQxXxQPtVdrf13R\n\tg19sT9eDxf9TQRFZNQHSgEcGUfyX7hsVwKnbqswyipa/anHv/OHauIkwjRNTk2lH7wYr\n\tq/PMvaj2M4qRCLf8CFS1r+vWvkCaIddiqGJQZCNVriuQR6AmwNmJjRefHx52NlDCd4c9\n\tvdPg==","X-Gm-Message-State":"AHYfb5iz+PYt2GjF4vUn+zVftfJzPX1ctp60lguaFT1/y+tti0uVl4TX\n\trM3mFFxgQ9bFeMsjT6NTTlVB9QX7gA==","X-Received":"by 10.84.218.72 with SMTP id f8mr1934975plm.55.1504040492014;\n\tTue, 29 Aug 2017 14:01:32 -0700 (PDT)","MIME-Version":"1.0","In-Reply-To":"<1504013358-17336-1-git-send-email-kevin@darbyshire-bryant.me.uk>","References":"<1504013358-17336-1-git-send-email-kevin@darbyshire-bryant.me.uk>","From":"Hans Dedecker ","Date":"Tue, 29 Aug 2017 23:01:31 +0200","Message-ID":"","To":"Kevin Darbyshire-Bryant ","X-CRM114-Version":"20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 ","X-CRM114-CacheID":"sfid-20170829_154716_000849_74058361 ","X-CRM114-Status":"GOOD ( 16.00 )","X-Spam-Score":"-2.0 (--)","X-Spam-Report":"SpamAssassin version 3.4.1 on bombadil.infradead.org summary:\n\tContent analysis details: (-2.0 points)\n\tpts rule name description\n\t---- ----------------------\n\t--------------------------------------------------\n\t-0.0 SPF_PASS SPF: sender matches SPF record\n\t0.0 FREEMAIL_FROM Sender email is commonly abused enduser mail\n\tprovider (dedeckeh[at]gmail.com)\n\t-1.9 BAYES_00 BODY: Bayes spam probability is 0 to 1%\n\t[score: 0.0000]\n\t-0.1 DKIM_VALID Message has at least one valid DKIM or DK signature\n\t0.1 DKIM_SIGNED Message has a DKIM or DK signature,\n\tnot necessarily valid\n\t-0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from\n\tauthor's domain","Subject":"Re: [LEDE-DEV] [PATCH] dnsmasq: forward.c: fix CVE-2017-13704","X-BeenThere":"lede-dev@lists.infradead.org","X-Mailman-Version":"2.1.21","Precedence":"list","List-Id":"","List-Unsubscribe":",\n\t","List-Archive":"","List-Post":"","List-Help":"","List-Subscribe":",\n\t","Cc":"LEDE Development List ","Content-Type":"text/plain; charset=\"us-ascii\"","Content-Transfer-Encoding":"7bit","Sender":"\"Lede-dev\" ","Errors-To":"lede-dev-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org"}}]