dnsmasq: forward.c: fix CVE-2017-13704
authorKevin Darbyshire-Bryant <kevin@darbyshire-bryant.me.uk>
Tue, 29 Aug 2017 13:29:18 +0000 (14:29 +0100)
committerJohn Crispin <john@phrozen.org>
Wed, 30 Aug 2017 15:05:10 +0000 (17:05 +0200)
commitca7933730681bf3a42261fdf045dc1d929cbee48
treee244e7f4dce068a1798c4a3a47783d5c9d16c608
parent97a6ef513f45b40c635159c9b4b88f3eaa1498d2
dnsmasq: forward.c: fix CVE-2017-13704

Fix SIGSEGV in rfc1035.c answer_request() line 1228 where memset()
is called with header & limit pointing at the same address and thus
tries to clear memory from before the buffer begins.

answer_request() is called with an invalid edns packet size provided by
the client.  Ensure the udp_size provided by the client is bounded by
512 and configured maximum as per RFC 6891 6.2.3 "Values lower than 512
MUST be treated as equal to 512"

The client that exposed the problem provided a payload udp size of 0.

Signed-off-by: Kevin Darbyshire-Bryant <kevin@darbyshire-bryant.me.uk>
Acked-by: Hans Dedecker <dedeckeh@gmail.com>
package/network/services/dnsmasq/Makefile
package/network/services/dnsmasq/patches/025-fix-CVE-2017-13704.patch [new file with mode: 0644]