diff options
| author | Peter Korsgaard <peter@korsgaard.com> | 2017-10-21 21:12:59 +0200 |
|---|---|---|
| committer | Peter Korsgaard <peter@korsgaard.com> | 2017-10-21 23:00:45 +0200 |
| commit | 209f42fd3a5f4357e22fb72f1597a6868566aabd (patch) | |
| tree | bd9ab553572edbbee9200719e0110e6b6caa17de | |
| parent | 5f50fb8d1df51b622537da015f8c3b7b6dcbbc35 (diff) | |
| download | buildroot-209f42fd3a5f4357e22fb72f1597a6868566aabd.tar.gz buildroot-209f42fd3a5f4357e22fb72f1597a6868566aabd.zip | |
musl: add upstream security fix for CVE-2017-15650
>From the upstream announcement:
http://www.openwall.com/lists/oss-security/2017/10/19/5
Felix Wilhelm has discovered a flaw in the dns response parsing for
musl libc 1.1.16 that leads to overflow of a stack-based buffer.
Earlier versions are also affected.
When an application makes a request via getaddrinfo for both IPv4 and
IPv6 results (AF_UNSPEC), an attacker who controls or can spoof the
nameservers configured in resolv.conf can reply to both the A and AAAA
queries with A results. Since A records are smaller than AAAA records,
it's possible to fit more addresses than the precomputed bound, and a
buffer overflow occurs.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
| -rw-r--r-- | package/musl/0003-in-dns-parsing-callback-enforce-MAXADDRS-to-preclude.patch | 35 |
1 files changed, 35 insertions, 0 deletions
diff --git a/package/musl/0003-in-dns-parsing-callback-enforce-MAXADDRS-to-preclude.patch b/package/musl/0003-in-dns-parsing-callback-enforce-MAXADDRS-to-preclude.patch new file mode 100644 index 0000000000..c6b5ef26b4 --- /dev/null +++ b/package/musl/0003-in-dns-parsing-callback-enforce-MAXADDRS-to-preclude.patch @@ -0,0 +1,35 @@ +From 45ca5d3fcb6f874bf5ba55d0e9651cef68515395 Mon Sep 17 00:00:00 2001 +From: Rich Felker <dalias@aerifal.cx> +Date: Wed, 18 Oct 2017 14:50:03 -0400 +Subject: [PATCH] in dns parsing callback, enforce MAXADDRS to preclude + overflow + +MAXADDRS was chosen not to need enforcement, but the logic used to +compute it assumes the answers received match the RR types of the +queries. specifically, it assumes that only one replu contains A +record answers. if the replies to both the A and the AAAA query have +their answer sections filled with A records, MAXADDRS can be exceeded +and clobber the stack of the calling function. + +this bug was found and reported by Felix Wilhelm. + +Signed-off-by: Peter Korsgaard <peter@korsgaard.com> +--- + src/network/lookup_name.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/src/network/lookup_name.c b/src/network/lookup_name.c +index 066be4d5..209c20f0 100644 +--- a/src/network/lookup_name.c ++++ b/src/network/lookup_name.c +@@ -111,6 +111,7 @@ static int dns_parse_callback(void *c, int rr, const void *data, int len, const + { + char tmp[256]; + struct dpc_ctx *ctx = c; ++ if (ctx->cnt >= MAXADDRS) return -1; + switch (rr) { + case RR_A: + if (len != 4) return -1; +-- +2.11.0 + |
