NetCube-Systems-Austria/kumquat-buildroot
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

musl: add upstream security fix for CVE-2017-15650

Browse Source 
>From the upstream announcement:
http://www.openwall.com/lists/oss-security/2017/10/19/5

Felix Wilhelm has discovered a flaw in the dns response parsing for
musl libc 1.1.16 that leads to overflow of a stack-based buffer.
Earlier versions are also affected.

When an application makes a request via getaddrinfo for both IPv4 and
IPv6 results (AF_UNSPEC), an attacker who controls or can spoof the
nameservers configured in resolv.conf can reply to both the A and AAAA
queries with A results. Since A records are smaller than AAAA records,
it's possible to fit more addresses than the precomputed bound, and a
buffer overflow occurs.

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
This commit is contained in:
Peter Korsgaard 2017-10-21 21:12:59 +02:00
parent 5f50fb8d1d
commit 209f42fd3a
1 changed files with 35 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

35
package/musl/0003-in-dns-parsing-callback-enforce-MAXADDRS-to-preclude.patch Normal file
View File

@ -0,0 +1,35 @@
From 45ca5d3fcb6f874bf5ba55d0e9651cef68515395 Mon Sep 17 00:00:00 2001
From: Rich Felker <dalias@aerifal.cx>
Date: Wed, 18 Oct 2017 14:50:03 -0400
Subject: [PATCH] in dns parsing callback, enforce MAXADDRS to preclude
overflow
MAXADDRS was chosen not to need enforcement, but the logic used to
compute it assumes the answers received match the RR types of the
queries. specifically, it assumes that only one replu contains A
record answers. if the replies to both the A and the AAAA query have
their answer sections filled with A records, MAXADDRS can be exceeded
and clobber the stack of the calling function.
this bug was found and reported by Felix Wilhelm.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
---
src/network/lookup_name.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/src/network/lookup_name.c b/src/network/lookup_name.c
index 066be4d5..209c20f0 100644
--- a/src/network/lookup_name.c
+++ b/src/network/lookup_name.c
@@ -111,6 +111,7 @@ static int dns_parse_callback(void *c, int rr, const void *data, int len, const
{
char tmp[256];
struct dpc_ctx *ctx = c;
+ if (ctx->cnt >= MAXADDRS) return -1;
switch (rr) {
case RR_A:
if (len != 4) return -1;
--
2.11.0