NetCube-Systems-Austria/kumquat-buildroot
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

busybox: security bump to version 1.24.2

Browse Source 
The version bump doesn't inherently fix the security issues, however the
added CVE patches do, which fix:

CVE-2016-2147 - out of bounds write (heap) due to integer underflow in
udhcpc.
CVE-2016-2148 - heap-based buffer overflow in OPTION_6RD parsing.

Drop patches that are upstream as well.

Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
This commit is contained in:
Gustavo Zacarias 2016-03-25 18:56:32 -03:00 committed by Peter Korsgaard
parent 61c433b321
commit 157dc65fb7
9 changed files with 217 additions and 323 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

0
package/busybox/0008-Makefile.flags-strip-non-l-arguments-returned-by-pkg.patch → package/busybox/0002-Makefile.flags-strip-non-l-arguments-returned-by-pkg.patch
View File

111
package/busybox/0002-unzip.patch
View File

@ -1,111 +0,0 @@
From 1de25a6e87e0e627aa34298105a3d17c60a1f44e Mon Sep 17 00:00:00 2001
From: Denys Vlasenko <vda.linux@googlemail.com>
Date: Mon, 26 Oct 2015 19:33:05 +0100
Subject: [PATCH] unzip: test for bad archive SEGVing
function old new delta
huft_build 1296 1300 +4
Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar>
---
archival/libarchive/decompress_gunzip.c | 11 +++++++----
testsuite/unzip.tests | 23 ++++++++++++++++++++++-
2 files changed, 29 insertions(+), 5 deletions(-)
diff --git a/archival/libarchive/decompress_gunzip.c b/archival/libarchive/decompress_gunzip.c
index 7b6f459..30bf451 100644
--- a/archival/libarchive/decompress_gunzip.c
+++ b/archival/libarchive/decompress_gunzip.c
@@ -305,11 +305,12 @@ static int huft_build(const unsigned *b, const unsigned n,
unsigned i; /* counter, current code */
unsigned j; /* counter */
int k; /* number of bits in current code */
- unsigned *p; /* pointer into c[], b[], or v[] */
+ const unsigned *p; /* pointer into c[], b[], or v[] */
huft_t *q; /* points to current table */
huft_t r; /* table entry for structure assignment */
huft_t *u[BMAX]; /* table stack */
unsigned v[N_MAX]; /* values in order of bit length */
+ unsigned v_end;
int ws[BMAX + 1]; /* bits decoded stack */
int w; /* bits decoded */
unsigned x[BMAX + 1]; /* bit offsets, then code stack */
@@ -324,7 +325,7 @@ static int huft_build(const unsigned *b, const unsigned n,
/* Generate counts for each bit length */
memset(c, 0, sizeof(c));
- p = (unsigned *) b; /* cast allows us to reuse p for pointing to b */
+ p = b;
i = n;
do {
c[*p]++; /* assume all entries <= BMAX */
@@ -365,12 +366,14 @@ static int huft_build(const unsigned *b, const unsigned n,
}
/* Make a table of values in order of bit lengths */
- p = (unsigned *) b;
+ p = b;
i = 0;
+ v_end = 0;
do {
j = *p++;
if (j != 0) {
v[x[j]++] = i;
+ v_end = x[j];
}
} while (++i < n);
@@ -432,7 +435,7 @@ static int huft_build(const unsigned *b, const unsigned n,
/* set up table entry in r */
r.b = (unsigned char) (k - w);
- if (p >= v + n) {
+ if (p >= v + v_end) { // Was "if (p >= v + n)" but v[] can be shorter!
r.e = 99; /* out of values--invalid code */
} else if (*p < s) {
r.e = (unsigned char) (*p < 256 ? 16 : 15); /* 256 is EOB code */
diff --git a/testsuite/unzip.tests b/testsuite/unzip.tests
index 8677a03..ca0a458 100755
--- a/testsuite/unzip.tests
+++ b/testsuite/unzip.tests
@@ -7,7 +7,7 @@
. ./testing.sh
-# testing "test name" "options" "expected result" "file input" "stdin"
+# testing "test name" "commands" "expected result" "file input" "stdin"
# file input will be file called "input"
# test can create a file "actual" instead of writing to stdout
@@ -30,6 +30,27 @@ testing "unzip (subdir only)" "unzip -q foo.zip foo/ && test -d foo && test ! -f
rmdir foo
rm foo.zip
+# File containing some damaged encrypted stream
+testing "unzip (bad archive)" "uudecode; unzip bad.zip 2>&1; echo \$?" \
+"Archive: bad.zip
+ inflating: ]3j½r«IK-%Ix
+unzip: inflate error
+1
+" \
+"" "\
+begin-base64 644 bad.zip
+UEsDBBQAAgkIAAAAIQA5AAAANwAAADwAAAAQAAcAXTNqwr1ywqtJGxJLLSVJ
+eCkBD0AdKBk8JzQsIj01JC0/ORJQSwMEFAECCAAAAAAhADoAAAAPAAAANgAA
+AAwAAQASw73Ct1DCokohPXQiNjoUNTUiHRwgLT4WHlBLAQIQABQAAggIAAAA
+oQA5AAAANwAAADwAAAAQQAcADAAAACwAMgCAAAAAAABdM2rCvXLCq0kbEkst
+JUl4KQEPQB0oGSY4Cz4QNgEnJSYIPVBLAQIAABQAAggAAAAAIQAqAAAADwAA
+BDYAAAAMAAEADQAAADIADQAAAEEAAAASw73Ct1DKokohPXQiNzA+FAI1HCcW
+NzITNFBLBQUKAC4JAA04Cw0EOhZQSwUGAQAABAIAAgCZAAAAeQAAAAIALhM=
+====
+"
+
+rm *
+
# Clean up scratch directory.
cd ..
--
2.6.2

84
package/busybox/0003-ash-recursive-heredocs.patch Normal file
View File

@ -0,0 +1,84 @@
From 4194c2875310c13ee3ca2bb0e1aea6a2ae67c55a Mon Sep 17 00:00:00 2001
From: Ron Yorston <rmy@pobox.com>
Date: Thu, 29 Oct 2015 16:44:56 +0000
Subject: [PATCH] ash: fix error during recursive processing of here document
Save the value of the checkkwd flag to prevent it being clobbered
during recursion.
Based on commit ec2c84d from git://git.kernel.org/pub/scm/utils/dash/dash.git
by Herbert Xu.
function old new delta
readtoken 190 203 +13
------------------------------------------------------------------------------
(add/remove: 0/0 grow/shrink: 1/0 up/down: 13/0) Total: 13 bytes
Signed-off-by: Ron Yorston <rmy@pobox.com>
Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
(cherry picked from commit 713f07d906d9171953be0c12e2369869855b6ca6)
Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar>
---
shell/ash.c | 5 +++--
shell/ash_test/ash-heredoc/heredoc3.right | 1 +
shell/ash_test/ash-heredoc/heredoc3.tests | 9 +++++++++
3 files changed, 13 insertions(+), 2 deletions(-)
create mode 100644 shell/ash_test/ash-heredoc/heredoc3.right
create mode 100755 shell/ash_test/ash-heredoc/heredoc3.tests
diff --git a/shell/ash.c b/shell/ash.c
index 8a1628e..256e933 100644
--- a/shell/ash.c
+++ b/shell/ash.c
@@ -11893,6 +11893,7 @@ static int
readtoken(void)
{
int t;
+ int kwd = checkkwd;
#if DEBUG
smallint alreadyseen = tokpushback;
#endif
@@ -11906,7 +11907,7 @@ readtoken(void)
/*
* eat newlines
*/
- if (checkkwd & CHKNL) {
+ if (kwd & CHKNL) {
while (t == TNL) {
parseheredoc();
t = xxreadtoken();
@@ -11920,7 +11921,7 @@ readtoken(void)
/*
* check for keywords
*/
- if (checkkwd & CHKKWD) {
+ if (kwd & CHKKWD) {
const char *const *pp;
pp = findkwd(wordtext);
diff --git a/shell/ash_test/ash-heredoc/heredoc3.right b/shell/ash_test/ash-heredoc/heredoc3.right
new file mode 100644
index 0000000..ce01362
--- /dev/null
+++ b/shell/ash_test/ash-heredoc/heredoc3.right
@@ -0,0 +1 @@
+hello
diff --git a/shell/ash_test/ash-heredoc/heredoc3.tests b/shell/ash_test/ash-heredoc/heredoc3.tests
new file mode 100755
index 0000000..96c227c
--- /dev/null
+++ b/shell/ash_test/ash-heredoc/heredoc3.tests
@@ -0,0 +1,9 @@
+echo hello >greeting
+cat <<EOF &&
+$(cat greeting)
+EOF
+{
+ echo $?
+ cat greeting
+} >/dev/null
+rm greeting
--
2.7.4

134
package/busybox/0003-g-unzip-fix-recent-breakage.patch
View File

@ -1,134 +0,0 @@
From 6bd3fff51aa74e2ee2d87887b12182a3b09792ef Mon Sep 17 00:00:00 2001
From: Denys Vlasenko <vda.linux@googlemail.com>
Date: Fri, 30 Oct 2015 23:41:53 +0100
Subject: [PATCH] [g]unzip: fix recent breakage.
Also, do emit error message we so painstakingly pass from gzip internals
Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
---
archival/libarchive/decompress_gunzip.c | 33 +++++++++++++++++++++------------
testsuite/unzip.tests | 1 +
2 files changed, 22 insertions(+), 12 deletions(-)
diff --git a/archival/libarchive/decompress_gunzip.c b/archival/libarchive/decompress_gunzip.c
index 30bf451..20e4d9a 100644
--- a/archival/libarchive/decompress_gunzip.c
+++ b/archival/libarchive/decompress_gunzip.c
@@ -309,8 +309,7 @@ static int huft_build(const unsigned *b, const unsigned n,
huft_t *q; /* points to current table */
huft_t r; /* table entry for structure assignment */
huft_t *u[BMAX]; /* table stack */
- unsigned v[N_MAX]; /* values in order of bit length */
- unsigned v_end;
+ unsigned v[N_MAX + 1]; /* values in order of bit length. last v[] is never used */
int ws[BMAX + 1]; /* bits decoded stack */
int w; /* bits decoded */
unsigned x[BMAX + 1]; /* bit offsets, then code stack */
@@ -365,15 +364,17 @@ static int huft_build(const unsigned *b, const unsigned n,
*xp++ = j;
}
- /* Make a table of values in order of bit lengths */
+ /* Make a table of values in order of bit lengths.
+ * To detect bad input, unused v[i]'s are set to invalid value UINT_MAX.
+ * In particular, last v[i] is never filled and must not be accessed.
+ */
+ memset(v, 0xff, sizeof(v));
p = b;
i = 0;
- v_end = 0;
do {
j = *p++;
if (j != 0) {
v[x[j]++] = i;
- v_end = x[j];
}
} while (++i < n);
@@ -435,7 +436,9 @@ static int huft_build(const unsigned *b, const unsigned n,
/* set up table entry in r */
r.b = (unsigned char) (k - w);
- if (p >= v + v_end) { // Was "if (p >= v + n)" but v[] can be shorter!
+ if (/*p >= v + n || -- redundant, caught by the second check: */
+ *p == UINT_MAX /* do we access uninited v[i]? (see memset(v))*/
+ ) {
r.e = 99; /* out of values--invalid code */
} else if (*p < s) {
r.e = (unsigned char) (*p < 256 ? 16 : 15); /* 256 is EOB code */
@@ -520,8 +523,9 @@ static NOINLINE int inflate_codes(STATE_PARAM_ONLY)
e = t->e;
if (e > 16)
do {
- if (e == 99)
- abort_unzip(PASS_STATE_ONLY);;
+ if (e == 99) {
+ abort_unzip(PASS_STATE_ONLY);
+ }
bb >>= t->b;
k -= t->b;
e -= 16;
@@ -557,8 +561,9 @@ static NOINLINE int inflate_codes(STATE_PARAM_ONLY)
e = t->e;
if (e > 16)
do {
- if (e == 99)
+ if (e == 99) {
abort_unzip(PASS_STATE_ONLY);
+ }
bb >>= t->b;
k -= t->b;
e -= 16;
@@ -824,8 +829,9 @@ static int inflate_block(STATE_PARAM smallint *e)
b_dynamic >>= 4;
k_dynamic -= 4;
- if (nl > 286 || nd > 30)
+ if (nl > 286 || nd > 30) {
abort_unzip(PASS_STATE_ONLY); /* bad lengths */
+ }
/* read in bit-length-code lengths */
for (j = 0; j < nb; j++) {
@@ -906,12 +912,14 @@ static int inflate_block(STATE_PARAM smallint *e)
bl = lbits;
i = huft_build(ll, nl, 257, cplens, cplext, &inflate_codes_tl, &bl);
- if (i != 0)
+ if (i != 0) {
abort_unzip(PASS_STATE_ONLY);
+ }
bd = dbits;
i = huft_build(ll + nl, nd, 0, cpdist, cpdext, &inflate_codes_td, &bd);
- if (i != 0)
+ if (i != 0) {
abort_unzip(PASS_STATE_ONLY);
+ }
/* set up data for inflate_codes() */
inflate_codes_setup(PASS_STATE bl, bd);
@@ -999,6 +1007,7 @@ inflate_unzip_internal(STATE_PARAM transformer_state_t *xstate)
error_msg = "corrupted data";
if (setjmp(error_jmp)) {
/* Error from deep inside zip machinery */
+ bb_error_msg(error_msg);
n = -1;
goto ret;
}
diff --git a/testsuite/unzip.tests b/testsuite/unzip.tests
index ca0a458..d8738a3 100755
--- a/testsuite/unzip.tests
+++ b/testsuite/unzip.tests
@@ -34,6 +34,7 @@ rm foo.zip
testing "unzip (bad archive)" "uudecode; unzip bad.zip 2>&1; echo \$?" \
"Archive: bad.zip
inflating: ]3j½r«IK-%Ix
+unzip: corrupted data
unzip: inflate error
1
" \
--
2.6.2

73
package/busybox/0004-fix-CVE-2016-2147.patch Normal file
View File

@ -0,0 +1,73 @@
From 3c4de6e36c4d387a648622e7b828a05f2b1b47e6 Mon Sep 17 00:00:00 2001
From: Denys Vlasenko <vda.linux@googlemail.com>
Date: Fri, 26 Feb 2016 15:54:56 +0100
Subject: [PATCH] udhcpc: fix OPTION_6RD parsing (could overflow its malloced
buffer)
Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
(cherry picked from commit 352f79acbd759c14399e39baef21fc4ffe180ac2)
Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar>
---
networking/udhcp/common.c | 15 +++++++++++++--
networking/udhcp/dhcpc.c | 4 ++--
2 files changed, 15 insertions(+), 4 deletions(-)
diff --git a/networking/udhcp/common.c b/networking/udhcp/common.c
index bc41c8d..680852c 100644
--- a/networking/udhcp/common.c
+++ b/networking/udhcp/common.c
@@ -142,7 +142,7 @@ const char dhcp_option_strings[] ALIGN1 =
* udhcp_str2optset: to determine how many bytes to allocate.
* xmalloc_optname_optval: to estimate string length
* from binary option length: (option[LEN] / dhcp_option_lengths[opt_type])
- * is the number of elements, multiply in by one element's string width
+ * is the number of elements, multiply it by one element's string width
* (len_of_option_as_string[opt_type]) and you know how wide string you need.
*/
const uint8_t dhcp_option_lengths[] ALIGN1 = {
@@ -162,7 +162,18 @@ const uint8_t dhcp_option_lengths[] ALIGN1 = {
[OPTION_S32] = 4,
/* Just like OPTION_STRING, we use minimum length here */
[OPTION_STATIC_ROUTES] = 5,
- [OPTION_6RD] = 22, /* ignored by udhcp_str2optset */
+ [OPTION_6RD] = 12, /* ignored by udhcp_str2optset */
+ /* The above value was chosen as follows:
+ * len_of_option_as_string[] for this option is >60: it's a string of the form
+ * "32 128 ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff 255.255.255.255 ".
+ * Each additional ipv4 address takes 4 bytes in binary option and appends
+ * another "255.255.255.255 " 16-byte string. We can set [OPTION_6RD] = 4
+ * but this severely overestimates string length: instead of 16 bytes,
+ * it adds >60 for every 4 bytes in binary option.
+ * We cheat and declare here that option is in units of 12 bytes.
+ * This adds more than 60 bytes for every three ipv4 addresses - more than enough.
+ * (Even 16 instead of 12 should work, but let's be paranoid).
+ */
};
diff --git a/networking/udhcp/dhcpc.c b/networking/udhcp/dhcpc.c
index 915f659..2332b57 100644
--- a/networking/udhcp/dhcpc.c
+++ b/networking/udhcp/dhcpc.c
@@ -113,7 +113,7 @@ static const uint8_t len_of_option_as_string[] = {
[OPTION_IP ] = sizeof("255.255.255.255 "),
[OPTION_IP_PAIR ] = sizeof("255.255.255.255 ") * 2,
[OPTION_STATIC_ROUTES ] = sizeof("255.255.255.255/32 255.255.255.255 "),
- [OPTION_6RD ] = sizeof("32 128 ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff 255.255.255.255 "),
+ [OPTION_6RD ] = sizeof("132 128 ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff 255.255.255.255 "),
[OPTION_STRING ] = 1,
[OPTION_STRING_HOST ] = 1,
#if ENABLE_FEATURE_UDHCP_RFC3397
@@ -220,7 +220,7 @@ static NOINLINE char *xmalloc_optname_optval(uint8_t *option, const struct dhcp_
type = optflag->flags & OPTION_TYPE_MASK;
optlen = dhcp_option_lengths[type];
upper_length = len_of_option_as_string[type]
- * ((unsigned)(len + optlen - 1) / (unsigned)optlen);
+ * ((unsigned)(len + optlen) / (unsigned)optlen);
dest = ret = xmalloc(upper_length + strlen(opt_name) + 2);
dest += sprintf(ret, "%s=", opt_name);
--
2.7.4

74
package/busybox/0004-truncate-open-mode.patch
View File

@ -1,74 +0,0 @@
From be729c1d3b5c923f10871dd68ea94156d0f8c803 Mon Sep 17 00:00:00 2001
From: Ari Sundholm <ari@tuxera.com>
Date: Mon, 4 Jan 2016 15:40:37 +0200
Subject: [PATCH] truncate: always set mode when opening file to avoid fortify
errors
Busybox crashes due to no mode being given when opening:
$ ./busybox truncate -s 1M foo
*** invalid open64 call: O_CREAT without mode ***: ./busybox terminated
======= Backtrace: =========
/lib/x86_64-linux-gnu/libc.so.6(+0x7338f)[0x7f66d921338f]
/lib/x86_64-linux-gnu/libc.so.6(__fortify_fail+0x5c)[0x7f66d92aac9c]
/lib/x86_64-linux-gnu/libc.so.6(+0xeb6aa)[0x7f66d928b6aa]
./busybox[0x4899f9]
======= Memory map: ========
00400000-004d0000 r-xp 00000000 00:1a 137559 /home/ari/busybox/busybox
006cf000-006d0000 r--p 000cf000 00:1a 137559 /home/ari/busybox/busybox
006d0000-006d1000 rw-p 000d0000 00:1a 137559 /home/ari/busybox/busybox
006d1000-006d4000 rw-p 00000000 00:00 0
014e7000-01508000 rw-p 00000000 00:00 0 [heap]
7f66d8f8a000-7f66d8fa0000 r-xp 00000000 08:07 1579008 /lib/x86_64-linux-gnu/libgcc_s.so.1
7f66d8fa0000-7f66d919f000 ---p 00016000 08:07 1579008 /lib/x86_64-linux-gnu/libgcc_s.so.1
7f66d919f000-7f66d91a0000 rw-p 00015000 08:07 1579008 /lib/x86_64-linux-gnu/libgcc_s.so.1
7f66d91a0000-7f66d935b000 r-xp 00000000 08:07 1578994 /lib/x86_64-linux-gnu/libc-2.19.so
7f66d935b000-7f66d955a000 ---p 001bb000 08:07 1578994 /lib/x86_64-linux-gnu/libc-2.19.so
7f66d955a000-7f66d955e000 r--p 001ba000 08:07 1578994 /lib/x86_64-linux-gnu/libc-2.19.so
7f66d955e000-7f66d9560000 rw-p 001be000 08:07 1578994 /lib/x86_64-linux-gnu/libc-2.19.so
7f66d9560000-7f66d9565000 rw-p 00000000 00:00 0
7f66d9565000-7f66d966a000 r-xp 00000000 08:07 1579020 /lib/x86_64-linux-gnu/libm-2.19.so
7f66d966a000-7f66d9869000 ---p 00105000 08:07 1579020 /lib/x86_64-linux-gnu/libm-2.19.so
7f66d9869000-7f66d986a000 r--p 00104000 08:07 1579020 /lib/x86_64-linux-gnu/libm-2.19.so
7f66d986a000-7f66d986b000 rw-p 00105000 08:07 1579020 /lib/x86_64-linux-gnu/libm-2.19.so
7f66d986b000-7f66d988e000 r-xp 00000000 08:07 1578981 /lib/x86_64-linux-gnu/ld-2.19.so
7f66d9a64000-7f66d9a67000 rw-p 00000000 00:00 0
7f66d9a8a000-7f66d9a8d000 rw-p 00000000 00:00 0
7f66d9a8d000-7f66d9a8e000 r--p 00022000 08:07 1578981 /lib/x86_64-linux-gnu/ld-2.19.so
7f66d9a8e000-7f66d9a8f000 rw-p 00023000 08:07 1578981 /lib/x86_64-linux-gnu/ld-2.19.so
7f66d9a8f000-7f66d9a90000 rw-p 00000000 00:00 0
7ffc47761000-7ffc47782000 rw-p 00000000 00:00 0 [stack]
7ffc477ab000-7ffc477ad000 r-xp 00000000 00:00 0 [vdso]
ffffffffff600000-ffffffffff601000 r-xp 00000000 00:00 0 [vsyscall]
Aborted (core dumped)
$
Fix this by simply always setting the mode, as it doesn't hurt even
when O_CREAT is not specified.
This bug is a regression introduced in fc3e40e, as xopen(), which
was originally used, would automatically set the mode.
Signed-off-by: Ari Sundholm <ari@tuxera.com>
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
(cherry picked from commit e111a1640494fe87fc913f94fae3bb805de0fc99)
Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar>
---
coreutils/truncate.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/coreutils/truncate.c b/coreutils/truncate.c
index e5fa656..4c997bf 100644
--- a/coreutils/truncate.c
+++ b/coreutils/truncate.c
@@ -64,7 +64,7 @@ int truncate_main(int argc UNUSED_PARAM, char **argv)
argv += optind;
while (*argv) {
- int fd = open(*argv, flags);
+ int fd = open(*argv, flags, 0666);
if (fd < 0) {
if (errno != ENOENT || !(opts & OPT_NOCREATE)) {
bb_perror_msg("%s: open", *argv);
--
2.6.2

56
package/busybox/0005-fix-CVE-2016-2148.patch Normal file
View File

@ -0,0 +1,56 @@
From 3a76bb5136d05f94ee62e377aa723e63444912c7 Mon Sep 17 00:00:00 2001
From: Denys Vlasenko <vda.linux@googlemail.com>
Date: Thu, 10 Mar 2016 11:47:58 +0100
Subject: [PATCH] udhcp: fix a SEGV on malformed RFC1035-encoded domain name
Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
(cherry picked from commit d474ffc68290e0a83651c4432eeabfa62cd51e87)
Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar>
---
networking/udhcp/domain_codec.c | 13 +++++++++----
1 file changed, 9 insertions(+), 4 deletions(-)
diff --git a/networking/udhcp/domain_codec.c b/networking/udhcp/domain_codec.c
index c1325d8..8429367 100644
--- a/networking/udhcp/domain_codec.c
+++ b/networking/udhcp/domain_codec.c
@@ -63,11 +63,10 @@ char* FAST_FUNC dname_dec(const uint8_t *cstr, int clen, const char *pre)
if (crtpos + *c + 1 > clen) /* label too long? abort */
return NULL;
if (dst)
- memcpy(dst + len, c + 1, *c);
+ /* \3com ---> "com." */
+ ((char*)mempcpy(dst + len, c + 1, *c))[0] = '.';
len += *c + 1;
crtpos += *c + 1;
- if (dst)
- dst[len - 1] = '.';
} else {
/* NUL: end of current domain name */
if (retpos == 0) {
@@ -78,7 +77,10 @@ char* FAST_FUNC dname_dec(const uint8_t *cstr, int clen, const char *pre)
crtpos = retpos;
retpos = depth = 0;
}
- if (dst)
+ if (dst && len != 0)
+ /* \4host\3com\0\4host and we are at \0:
+ * \3com was converted to "com.", change dot to space.
+ */
dst[len - 1] = ' ';
}
@@ -228,6 +230,9 @@ int main(int argc, char **argv)
int len;
uint8_t *encoded;
+ uint8_t str[6] = { 0x00, 0x00, 0x02, 0x65, 0x65, 0x00 };
+ printf("NUL:'%s'\n", dname_dec(str, 6, ""));
+
#define DNAME_DEC(encoded,pre) dname_dec((uint8_t*)(encoded), sizeof(encoded), (pre))
printf("'%s'\n", DNAME_DEC("\4host\3com\0", "test1:"));
printf("test2:'%s'\n", DNAME_DEC("\4host\3com\0\4host\3com\0", ""));
--
2.7.4

6
package/busybox/busybox.hash
View File

@ -1,3 +1,3 @@
# From http://busybox.net/downloads/busybox-1.24.1.tar.bz2.sign
md5 be98a40cadf84ce2d6b05fa41a275c6a busybox-1.24.1.tar.bz2
sha1 157d14d24748b4505b1a418535688706a2b81680 busybox-1.24.1.tar.bz2
# From http://busybox.net/downloads/busybox-1.24.2.tar.bz2.sign
md5 2eaae519cac1143bcf583636a745381f busybox-1.24.2.tar.bz2
sha1 03e6cfc8ddb2f709f308719a9b9f4818bc0a28d0 busybox-1.24.2.tar.bz2

2
package/busybox/busybox.mk
View File

@ -4,7 +4,7 @@
#
################################################################################
BUSYBOX_VERSION = 1.24.1
BUSYBOX_VERSION = 1.24.2
BUSYBOX_SITE = http://www.busybox.net/downloads
BUSYBOX_SOURCE = busybox-$(BUSYBOX_VERSION).tar.bz2
BUSYBOX_LICENSE = GPLv2