Skip to content

D
Dnsmasq
Commit 63437ffb authored by Simon Kelley's avatar Simon Kelley
Browse files
Options

Fix CVE-2017-13704, which resulted in a crash on a large DNS query. 

A DNS query recieved by UDP which exceeds 512 bytes (or the EDNS0 packet size,
if different.) is enough to cause SIGSEGV.
parent 69a815aa
Show whitespace changes
Inline Side-by-side
Showing with 15 additions and 10 deletions
CHANGELOG
View file @ 63437ffb
...@@ -17,6 +17,13 @@ version 2.78 ...@@ -17,6 +17,13 @@ version 2.78
--strict-order active. Thanks to Hans Dedecker --strict-order active. Thanks to Hans Dedecker
for the patch for the patch
Fix regression in 2.77, ironically added as a security
improvement, which resulted in a crash when a DNS
query exceeded 512 bytes (or the EDNS0 packet size,
if different.) Thanks to Christian Kujau, Arne Woerner
Juan Manuel Fernandez and Kevin Darbyshire-Bryant for
chasing this one down. CVE-2017-13704 applies.
version 2.77 version 2.77
Generate an error when configured with a CNAME loop, Generate an error when configured with a CNAME loop,
......
src/auth.c
View file @ 63437ffb
...@@ -119,11 +119,6 @@ size_t answer_auth(struct dns_header *header, char *limit, size_t qlen, time_t n ...@@ -119,11 +119,6 @@ size_t answer_auth(struct dns_header *header, char *limit, size_t qlen, time_t n
struct cname *a, *candidate; struct cname *a, *candidate;
unsigned int wclen; unsigned int wclen;
/* Clear buffer beyond request to avoid risk of
information disclosure. */
memset(((char *)header) + qlen, 0,
(limit - ((char *)header)) - qlen);
if (ntohs(header->qdcount) == 0 || OPCODE(header) != QUERY ) if (ntohs(header->qdcount) == 0 || OPCODE(header) != QUERY )
return 0; return 0;
......
src/forward.c
View file @ 63437ffb
...@@ -1189,6 +1189,10 @@ void receive_query(struct listener *listen, time_t now) ...@@ -1189,6 +1189,10 @@ void receive_query(struct listener *listen, time_t now)
(header->hb3 & HB3_QR)) (header->hb3 & HB3_QR))
return; return;
/* Clear buffer beyond request to avoid risk of
information disclosure. */
memset(daemon->packet + n, 0, daemon->edns_pktsz - n);
source_addr.sa.sa_family = listen->family; source_addr.sa.sa_family = listen->family;
if (listen->family == AF_INET) if (listen->family == AF_INET)
...@@ -1689,6 +1693,10 @@ unsigned char *tcp_request(int confd, time_t now, ...@@ -1689,6 +1693,10 @@ unsigned char *tcp_request(int confd, time_t now,
if (size < (int)sizeof(struct dns_header)) if (size < (int)sizeof(struct dns_header))
continue; continue;
/* Clear buffer beyond request to avoid risk of
information disclosure. */
memset(payload + size, 0, 65536 - size);
query_count++; query_count++;
/* log_query gets called indirectly all over the place, so /* log_query gets called indirectly all over the place, so
......
src/rfc1035.c
View file @ 63437ffb
...@@ -1223,11 +1223,6 @@ size_t answer_request(struct dns_header *header, char *limit, size_t qlen, ...@@ -1223,11 +1223,6 @@ size_t answer_request(struct dns_header *header, char *limit, size_t qlen,
struct mx_srv_record *rec; struct mx_srv_record *rec;
size_t len; size_t len;
/* Clear buffer beyond request to avoid risk of
information disclosure. */
memset(((char *)header) + qlen, 0,
(limit - ((char *)header)) - qlen);
if (ntohs(header->ancount) != 0 || if (ntohs(header->ancount) != 0 ||
ntohs(header->nscount) != 0 || ntohs(header->nscount) != 0 ||
ntohs(header->qdcount) == 0 || ntohs(header->qdcount) == 0 ||
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment