From mboxrd@z Thu Jan  1 00:00:00 1970
From: Matthias Fischer <matthias.fischer@ipfire.org>
To: development@lists.ipfire.org
Subject: [PATCH] dnsmasq 2.76: latest patches from upstream (001-003)
Date: Sat, 09 Jul 2016 12:27:37 +0200
Message-ID: <20160709102737.1728-1-matthias.fischer@ipfire.org>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="===============4469447689537765913=="
List-Id: <development.lists.ipfire.org>

--===============4469447689537765913==
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable

Signed-off-by: Matthias Fischer <matthias.fischer(a)ipfire.org>
---
 lfs/dnsmasq                                        |  3 +
 ...late_length_of_TFTP_error_reply_correctly.patch | 65 ++++++++++++++++++++=
++
 .../dnsmasq/002-Zero_newly_malloc_ed_memory.patch  | 36 ++++++++++++
 .../003-Check_return_of_expand_always.patch        | 44 +++++++++++++++
 4 files changed, 148 insertions(+)
 create mode 100644 src/patches/dnsmasq/001-Calculate_length_of_TFTP_error_re=
ply_correctly.patch
 create mode 100644 src/patches/dnsmasq/002-Zero_newly_malloc_ed_memory.patch
 create mode 100644 src/patches/dnsmasq/003-Check_return_of_expand_always.pat=
ch

diff --git a/lfs/dnsmasq b/lfs/dnsmasq
index e425f7d..5782f77 100644
--- a/lfs/dnsmasq
+++ b/lfs/dnsmasq
@@ -73,6 +73,9 @@ $(subst %,%_MD5,$(objects)) :
 $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
 	@$(PREBUILD)
 	@rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar axf $(DIR_DL)/$(DL_FILE)
+	cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/dnsmasq/001-Calculate=
_length_of_TFTP_error_reply_correctly.patch
+	cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/dnsmasq/002-Zero_newl=
y_malloc_ed_memory.patch
+	cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/dnsmasq/003-Check_ret=
urn_of_expand_always.patch
 	cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/dnsmasq-Add-support-t=
o-read-ISC-DHCP-lease-file.patch
=20
 	cd $(DIR_APP) && sed -i src/config.h \
diff --git a/src/patches/dnsmasq/001-Calculate_length_of_TFTP_error_reply_cor=
rectly.patch b/src/patches/dnsmasq/001-Calculate_length_of_TFTP_error_reply_c=
orrectly.patch
new file mode 100644
index 0000000..43ac068
--- /dev/null
+++ b/src/patches/dnsmasq/001-Calculate_length_of_TFTP_error_reply_correctly.=
patch
@@ -0,0 +1,65 @@
+From 294d36df4749e01199ab220d44c170e7db2b0c05 Mon Sep 17 00:00:00 2001
+From: Simon Kelley <simon(a)thekelleys.org.uk>
+Date: Wed, 6 Jul 2016 21:30:25 +0100
+Subject: [PATCH] Calculate length of TFTP error reply correctly.
+
+---
+ CHANGELOG  |   14 ++++++++++++++
+ src/tftp.c |    7 +++++--
+ 2 files changed, 19 insertions(+), 2 deletions(-)
+
+diff --git a/CHANGELOG b/CHANGELOG
+index 04ff3f0..0559a6f 100644
+--- a/CHANGELOG
++++ b/CHANGELOG
+@@ -1,3 +1,17 @@
++version 2.77
++	    Calculate the length of TFTP error reply packet=20
++	    correctly. This fixes a problem when the error=20
++	    message in a TFTP packet exceeds the arbitrary=20
++	    limit of 500 characters. The message was correctly
++	    truncated, but not the packet length, so=20
++	    extra data was appended. This is a possible
++	    security risk, since the extra data comes from
++	    a buffer which is also used for DNS, so that
++	    previous DNS queries or replies may be leaked.
++	    Thanks to Mozilla for funding the security audit=20
++	    which spotted this bug.
++
++
+ version 2.76
+             Include 0.0.0.0/8 in DNS rebind checks. This range=20
+ 	    translates to hosts on  the local network, or, at=20
+diff --git a/src/tftp.c b/src/tftp.c
+index 5e4a32a..3e1b5c5 100644
+--- a/src/tftp.c
++++ b/src/tftp.c
+@@ -652,20 +652,23 @@ static void sanitise(char *buf)
+=20
+ }
+=20
++#define MAXMESSAGE 500 /* limit to make packet < 512 bytes and definitely s=
maller than buffer */=20
+ static ssize_t tftp_err(int err, char *packet, char *message, char *file)
+ {
+   struct errmess {
+     unsigned short op, err;
+     char message[];
+   } *mess =3D (struct errmess *)packet;
+-  ssize_t ret =3D 4;
++  ssize_t len, ret =3D 4;
+   char *errstr =3D strerror(errno);
+  =20
+   sanitise(file);
+=20
+   mess->op =3D htons(OP_ERR);
+   mess->err =3D htons(err);
+-  ret +=3D (snprintf(mess->message, 500,  message, file, errstr) + 1);
++  len =3D snprintf(mess->message, MAXMESSAGE,  message, file, errstr);
++  ret +=3D (len < MAXMESSAGE) ? len + 1 : MAXMESSAGE; /* include terminatin=
g zero */
++ =20
+   my_syslog(MS_TFTP | LOG_ERR, "%s", mess->message);
+  =20
+   return  ret;
+--=20
+1.7.10.4
+
diff --git a/src/patches/dnsmasq/002-Zero_newly_malloc_ed_memory.patch b/src/=
patches/dnsmasq/002-Zero_newly_malloc_ed_memory.patch
new file mode 100644
index 0000000..b748db8
--- /dev/null
+++ b/src/patches/dnsmasq/002-Zero_newly_malloc_ed_memory.patch
@@ -0,0 +1,36 @@
+From d55f81f5fd53b1dfc2c4b3249b542f2d9679e236 Mon Sep 17 00:00:00 2001
+From: Simon Kelley <simon(a)thekelleys.org.uk>
+Date: Wed, 6 Jul 2016 21:33:56 +0100
+Subject: [PATCH] Zero newly malloc'ed memory.
+
+---
+ src/util.c |    6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/src/util.c b/src/util.c
+index 93b24f5..82443c9 100644
+--- a/src/util.c
++++ b/src/util.c
+@@ -248,6 +248,8 @@ void *safe_malloc(size_t size)
+  =20
+   if (!ret)
+     die(_("could not get memory"), NULL, EC_NOMEM);
++  else
++    memset(ret, 0, size);
+     =20
+   return ret;
+ }   =20
+@@ -266,7 +268,9 @@ void *whine_malloc(size_t size)
+=20
+   if (!ret)
+     my_syslog(LOG_ERR, _("failed to allocate %d bytes"), (int) size);
+-
++  else
++    memset(ret, 0, size);
++ =20
+   return ret;
+ }
+=20
+--=20
+1.7.10.4
+
diff --git a/src/patches/dnsmasq/003-Check_return_of_expand_always.patch b/sr=
c/patches/dnsmasq/003-Check_return_of_expand_always.patch
new file mode 100644
index 0000000..a69f4ce
--- /dev/null
+++ b/src/patches/dnsmasq/003-Check_return_of_expand_always.patch
@@ -0,0 +1,44 @@
+From ce7845bf5429bd2962c9b2e7d75e2659f3b5c1a8 Mon Sep 17 00:00:00 2001
+From: Simon Kelley <simon(a)thekelleys.org.uk>
+Date: Wed, 6 Jul 2016 21:42:27 +0100
+Subject: [PATCH] Check return of expand() always.
+
+---
+ src/radv.c  |    4 +++-
+ src/slaac.c |    5 ++++-
+ 2 files changed, 7 insertions(+), 2 deletions(-)
+
+diff --git a/src/radv.c b/src/radv.c
+index 749b666..faa0f6d 100644
+--- a/src/radv.c
++++ b/src/radv.c
+@@ -262,7 +262,9 @@ static void send_ra_alias(time_t now, int iface, char *i=
face_name, struct in6_ad
+   parm.prio =3D calc_prio(ra_param);
+  =20
+   save_counter(0);
+-  ra =3D expand(sizeof(struct ra_packet));
++ =20
++  if (!(ra =3D expand(sizeof(struct ra_packet))))
++    return;
+  =20
+   ra->type =3D ND_ROUTER_ADVERT;
+   ra->code =3D 0;
+diff --git a/src/slaac.c b/src/slaac.c
+index 8034805..07b8ba4 100644
+--- a/src/slaac.c
++++ b/src/slaac.c
+@@ -147,7 +147,10 @@ time_t periodic_slaac(time_t now, struct dhcp_lease *le=
ases)
+ 	    struct sockaddr_in6 addr;
+ =20
+ 	    save_counter(0);
+-	    ping =3D expand(sizeof(struct ping_packet));
++
++	    if (!(ping =3D expand(sizeof(struct ping_packet))))
++	      continue;
++
+ 	    ping->type =3D ICMP6_ECHO_REQUEST;
+ 	    ping->code =3D 0;
+ 	    ping->identifier =3D ping_id;
+--=20
+1.7.10.4
+
--=20
2.9.0


--===============4469447689537765913==--