Signed-off-by: Matthias Fischer matthias.fischer@ipfire.org --- lfs/dnsmasq | 3 + ...late_length_of_TFTP_error_reply_correctly.patch | 65 ++++++++++++++++++++++ .../dnsmasq/002-Zero_newly_malloc_ed_memory.patch | 36 ++++++++++++ .../003-Check_return_of_expand_always.patch | 44 +++++++++++++++ 4 files changed, 148 insertions(+) create mode 100644 src/patches/dnsmasq/001-Calculate_length_of_TFTP_error_reply_correctly.patch create mode 100644 src/patches/dnsmasq/002-Zero_newly_malloc_ed_memory.patch create mode 100644 src/patches/dnsmasq/003-Check_return_of_expand_always.patch
diff --git a/lfs/dnsmasq b/lfs/dnsmasq index e425f7d..5782f77 100644 --- a/lfs/dnsmasq +++ b/lfs/dnsmasq @@ -73,6 +73,9 @@ $(subst %,%_MD5,$(objects)) : $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) @$(PREBUILD) @rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar axf $(DIR_DL)/$(DL_FILE) + cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/dnsmasq/001-Calculate_length_of_TFTP_error_reply_correctly.patch + cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/dnsmasq/002-Zero_newly_malloc_ed_memory.patch + cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/dnsmasq/003-Check_return_of_expand_always.patch cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/dnsmasq-Add-support-to-read-ISC-DHCP-lease-file.patch
cd $(DIR_APP) && sed -i src/config.h \ diff --git a/src/patches/dnsmasq/001-Calculate_length_of_TFTP_error_reply_correctly.patch b/src/patches/dnsmasq/001-Calculate_length_of_TFTP_error_reply_correctly.patch new file mode 100644 index 0000000..43ac068 --- /dev/null +++ b/src/patches/dnsmasq/001-Calculate_length_of_TFTP_error_reply_correctly.patch @@ -0,0 +1,65 @@ +From 294d36df4749e01199ab220d44c170e7db2b0c05 Mon Sep 17 00:00:00 2001 +From: Simon Kelley simon@thekelleys.org.uk +Date: Wed, 6 Jul 2016 21:30:25 +0100 +Subject: [PATCH] Calculate length of TFTP error reply correctly. + +--- + CHANGELOG | 14 ++++++++++++++ + src/tftp.c | 7 +++++-- + 2 files changed, 19 insertions(+), 2 deletions(-) + +diff --git a/CHANGELOG b/CHANGELOG +index 04ff3f0..0559a6f 100644 +--- a/CHANGELOG ++++ b/CHANGELOG +@@ -1,3 +1,17 @@ ++version 2.77 ++ Calculate the length of TFTP error reply packet ++ correctly. This fixes a problem when the error ++ message in a TFTP packet exceeds the arbitrary ++ limit of 500 characters. The message was correctly ++ truncated, but not the packet length, so ++ extra data was appended. This is a possible ++ security risk, since the extra data comes from ++ a buffer which is also used for DNS, so that ++ previous DNS queries or replies may be leaked. ++ Thanks to Mozilla for funding the security audit ++ which spotted this bug. ++ ++ + version 2.76 + Include 0.0.0.0/8 in DNS rebind checks. This range + translates to hosts on the local network, or, at +diff --git a/src/tftp.c b/src/tftp.c +index 5e4a32a..3e1b5c5 100644 +--- a/src/tftp.c ++++ b/src/tftp.c +@@ -652,20 +652,23 @@ static void sanitise(char *buf) + + } + ++#define MAXMESSAGE 500 /* limit to make packet < 512 bytes and definitely smaller than buffer */ + static ssize_t tftp_err(int err, char *packet, char *message, char *file) + { + struct errmess { + unsigned short op, err; + char message[]; + } *mess = (struct errmess *)packet; +- ssize_t ret = 4; ++ ssize_t len, ret = 4; + char *errstr = strerror(errno); + + sanitise(file); + + mess->op = htons(OP_ERR); + mess->err = htons(err); +- ret += (snprintf(mess->message, 500, message, file, errstr) + 1); ++ len = snprintf(mess->message, MAXMESSAGE, message, file, errstr); ++ ret += (len < MAXMESSAGE) ? len + 1 : MAXMESSAGE; /* include terminating zero */ ++ + my_syslog(MS_TFTP | LOG_ERR, "%s", mess->message); + + return ret; +-- +1.7.10.4 + diff --git a/src/patches/dnsmasq/002-Zero_newly_malloc_ed_memory.patch b/src/patches/dnsmasq/002-Zero_newly_malloc_ed_memory.patch new file mode 100644 index 0000000..b748db8 --- /dev/null +++ b/src/patches/dnsmasq/002-Zero_newly_malloc_ed_memory.patch @@ -0,0 +1,36 @@ +From d55f81f5fd53b1dfc2c4b3249b542f2d9679e236 Mon Sep 17 00:00:00 2001 +From: Simon Kelley simon@thekelleys.org.uk +Date: Wed, 6 Jul 2016 21:33:56 +0100 +Subject: [PATCH] Zero newly malloc'ed memory. + +--- + src/util.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/src/util.c b/src/util.c +index 93b24f5..82443c9 100644 +--- a/src/util.c ++++ b/src/util.c +@@ -248,6 +248,8 @@ void *safe_malloc(size_t size) + + if (!ret) + die(_("could not get memory"), NULL, EC_NOMEM); ++ else ++ memset(ret, 0, size); + + return ret; + } +@@ -266,7 +268,9 @@ void *whine_malloc(size_t size) + + if (!ret) + my_syslog(LOG_ERR, _("failed to allocate %d bytes"), (int) size); +- ++ else ++ memset(ret, 0, size); ++ + return ret; + } + +-- +1.7.10.4 + diff --git a/src/patches/dnsmasq/003-Check_return_of_expand_always.patch b/src/patches/dnsmasq/003-Check_return_of_expand_always.patch new file mode 100644 index 0000000..a69f4ce --- /dev/null +++ b/src/patches/dnsmasq/003-Check_return_of_expand_always.patch @@ -0,0 +1,44 @@ +From ce7845bf5429bd2962c9b2e7d75e2659f3b5c1a8 Mon Sep 17 00:00:00 2001 +From: Simon Kelley simon@thekelleys.org.uk +Date: Wed, 6 Jul 2016 21:42:27 +0100 +Subject: [PATCH] Check return of expand() always. + +--- + src/radv.c | 4 +++- + src/slaac.c | 5 ++++- + 2 files changed, 7 insertions(+), 2 deletions(-) + +diff --git a/src/radv.c b/src/radv.c +index 749b666..faa0f6d 100644 +--- a/src/radv.c ++++ b/src/radv.c +@@ -262,7 +262,9 @@ static void send_ra_alias(time_t now, int iface, char *iface_name, struct in6_ad + parm.prio = calc_prio(ra_param); + + save_counter(0); +- ra = expand(sizeof(struct ra_packet)); ++ ++ if (!(ra = expand(sizeof(struct ra_packet)))) ++ return; + + ra->type = ND_ROUTER_ADVERT; + ra->code = 0; +diff --git a/src/slaac.c b/src/slaac.c +index 8034805..07b8ba4 100644 +--- a/src/slaac.c ++++ b/src/slaac.c +@@ -147,7 +147,10 @@ time_t periodic_slaac(time_t now, struct dhcp_lease *leases) + struct sockaddr_in6 addr; + + save_counter(0); +- ping = expand(sizeof(struct ping_packet)); ++ ++ if (!(ping = expand(sizeof(struct ping_packet)))) ++ continue; ++ + ping->type = ICMP6_ECHO_REQUEST; + ping->code = 0; + ping->identifier = ping_id; +-- +1.7.10.4 +