Blame SOURCES/dnsmasq-2.76-CVE-2017-14491-2.patch

814650
From 62cb936cb7ad5f219715515ae7d32dd281a5aa1f Mon Sep 17 00:00:00 2001
814650
From: Simon Kelley <simon@thekelleys.org.uk>
814650
Date: Tue, 26 Sep 2017 22:00:11 +0100
814650
Subject: Security fix, CVE-2017-14491, DNS heap buffer overflow.
814650
814650
Further fix to 0549c73b7ea6b22a3c49beb4d432f185a81efcbc
814650
Handles case when RR name is not a pointer to the question,
814650
only occurs for some auth-mode replies, therefore not
814650
detected by fuzzing (?)
814650
---
814650
 src/rfc1035.c | 27 +++++++++++++++------------
814650
 1 file changed, 15 insertions(+), 12 deletions(-)
814650
814650
diff --git a/src/rfc1035.c b/src/rfc1035.c
814650
index 27af023..56ab88b 100644
814650
--- a/src/rfc1035.c
814650
+++ b/src/rfc1035.c
814650
@@ -1086,32 +1086,35 @@ int add_resource_record(struct dns_header *header, char *limit, int *truncp, int
814650
 
814650
   va_start(ap, format);   /* make ap point to 1st unamed argument */
814650
 
814650
-  /* nameoffset (1 or 2) + type (2) + class (2) + ttl (4) + 0 (2) */
814650
-  CHECK_LIMIT(12);
814650
-
814650
   if (nameoffset > 0)
814650
     {
814650
+      CHECK_LIMIT(2);
814650
       PUTSHORT(nameoffset | 0xc000, p);
814650
     }
814650
   else
814650
     {
814650
       char *name = va_arg(ap, char *);
814650
-      if (name)
814650
-	p = do_rfc1035_name(p, name, limit);
814650
-        if (!p)
814650
-          {
814650
-            va_end(ap);
814650
-            goto truncated;
814650
-          }
814650
-
814650
+      if (name && !(p = do_rfc1035_name(p, name, limit)))
814650
+	{
814650
+	  va_end(ap);
814650
+	  goto truncated;
814650
+	}
814650
+      
814650
       if (nameoffset < 0)
814650
 	{
814650
+	  CHECK_LIMIT(2);
814650
 	  PUTSHORT(-nameoffset | 0xc000, p);
814650
 	}
814650
       else
814650
-	*p++ = 0;
814650
+	{
814650
+	  CHECK_LIMIT(1);
814650
+	  *p++ = 0;
814650
+	}
814650
     }
814650
 
814650
+  /* type (2) + class (2) + ttl (4) + rdlen (2) */
814650
+  CHECK_LIMIT(10);
814650
+  
814650
   PUTSHORT(type, p);
814650
   PUTSHORT(class, p);
814650
   PUTLONG(ttl, p);      /* TTL */
814650
-- 
814650
2.7.4
814650