Menu
▾
▴
[Astlinux-commits] SF.net SVN: astlinux:[7617] branches/1.0/package/busybox/ busybox-udhcp-fix-CVE-2016-2148.patch
|
From: <abe...@us...> - 2016-03-26 13:23:57
|
Revision: 7617
http://sourceforge.net/p/astlinux/code/7617
Author: abelbeck
Date: 2016-03-26 13:23:54 +0000 (Sat, 26 Mar 2016)
Log Message:
-----------
busybox, udhcp: fix a SEGV on malformed RFC1035-encoded domain name - CVE-2016-2148
Added Paths:
-----------
branches/1.0/package/busybox/busybox-udhcp-fix-CVE-2016-2148.patch
Added: branches/1.0/package/busybox/busybox-udhcp-fix-CVE-2016-2148.patch
===================================================================
--- branches/1.0/package/busybox/busybox-udhcp-fix-CVE-2016-2148.patch (rev 0)
+++ branches/1.0/package/busybox/busybox-udhcp-fix-CVE-2016-2148.patch 2016-03-26 13:23:54 UTC (rev 7617)
@@ -0,0 +1,55 @@
+From 3a76bb5136d05f94ee62e377aa723e63444912c7 Mon Sep 17 00:00:00 2001
+From: Denys Vlasenko <vda...@go...>
+Date: Thu, 10 Mar 2016 11:47:58 +0100
+Subject: [PATCH] udhcp: fix a SEGV on malformed RFC1035-encoded domain name
+
+Signed-off-by: Denys Vlasenko <vda...@go...>
+Signed-off-by: Mike Frysinger <va...@ge...>
+(cherry picked from commit d474ffc68290e0a83651c4432eeabfa62cd51e87)
+Signed-off-by: Gustavo Zacarias <gu...@za...>
+---
+ networking/udhcp/domain_codec.c | 13 +++++++++----
+ 1 file changed, 9 insertions(+), 4 deletions(-)
+
+diff --git a/networking/udhcp/domain_codec.c b/networking/udhcp/domain_codec.c
+index c1325d8..8429367 100644
+--- a/networking/udhcp/domain_codec.c
++++ b/networking/udhcp/domain_codec.c
+@@ -63,11 +63,10 @@ char* FAST_FUNC dname_dec(const uint8_t *cstr, int clen, const char *pre)
+ if (crtpos + *c + 1 > clen) /* label too long? abort */
+ return NULL;
+ if (dst)
+- memcpy(dst + len, c + 1, *c);
++ /* \3com ---> "com." */
++ ((char*)mempcpy(dst + len, c + 1, *c))[0] = '.';
+ len += *c + 1;
+ crtpos += *c + 1;
+- if (dst)
+- dst[len - 1] = '.';
+ } else {
+ /* NUL: end of current domain name */
+ if (retpos == 0) {
+@@ -78,7 +77,10 @@ char* FAST_FUNC dname_dec(const uint8_t *cstr, int clen, const char *pre)
+ crtpos = retpos;
+ retpos = depth = 0;
+ }
+- if (dst)
++ if (dst && len != 0)
++ /* \4host\3com\0\4host and we are at \0:
++ * \3com was converted to "com.", change dot to space.
++ */
+ dst[len - 1] = ' ';
+ }
+
+@@ -228,6 +230,9 @@ int main(int argc, char **argv)
+ int len;
+ uint8_t *encoded;
+
++ uint8_t str[6] = { 0x00, 0x00, 0x02, 0x65, 0x65, 0x00 };
++ printf("NUL:'%s'\n", dname_dec(str, 6, ""));
++
+ #define DNAME_DEC(encoded,pre) dname_dec((uint8_t*)(encoded), sizeof(encoded), (pre))
+ printf("'%s'\n", DNAME_DEC("\4host\3com\0", "test1:"));
+ printf("test2:'%s'\n", DNAME_DEC("\4host\3com\0\4host\3com\0", ""));
+--
+2.7.4
This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site.
|
