Pi-Hole/dnsmasq
1
0
Fork 0
mirror of https://github.com/pi-hole/dnsmasq.git synced 2025-12-19 10:18:25 +00:00
Code Issues Packages Projects Releases Wiki Activity

Fix CVE-2017-13704, which resulted in a crash on a large DNS query.

Browse Source 
A DNS query recieved by UDP which exceeds 512 bytes (or the EDNS0 packet size,
if different.) is enough to cause SIGSEGV.
This commit is contained in:
Simon Kelley
2017-09-06 22:34:21 +01:00
parent 69a815aa8f
commit 63437ffbb5
4 changed files with 15 additions and 10 deletions
Download Patch File Download Diff File Expand all files Collapse all files

7
CHANGELOG
View File

@@ -17,6 +17,13 @@ version 2.78
--strict-order active. Thanks to Hans Dedecker --strict-order active. Thanks to Hans Dedecker
for the patch for the patch
Fix regression in 2.77, ironically added as a security
improvement, which resulted in a crash when a DNS
query exceeded 512 bytes (or the EDNS0 packet size,
if different.) Thanks to Christian Kujau, Arne Woerner
Juan Manuel Fernandez and Kevin Darbyshire-Bryant for
chasing this one down. CVE-2017-13704 applies.
version 2.77 version 2.77
Generate an error when configured with a CNAME loop, Generate an error when configured with a CNAME loop,

5
src/auth.c
View File

@@ -119,11 +119,6 @@ size_t answer_auth(struct dns_header *header, char *limit, size_t qlen, time_t n
struct cname *a, *candidate; struct cname *a, *candidate;
unsigned int wclen; unsigned int wclen;
/* Clear buffer beyond request to avoid risk of
information disclosure. */
memset(((char *)header) + qlen, 0,
(limit - ((char *)header)) - qlen);
if (ntohs(header->qdcount) == 0 || OPCODE(header) != QUERY ) if (ntohs(header->qdcount) == 0 || OPCODE(header) != QUERY )
return 0; return 0;

8
src/forward.c
View File

@@ -1189,6 +1189,10 @@ void receive_query(struct listener *listen, time_t now)
(header->hb3 & HB3_QR)) (header->hb3 & HB3_QR))
return; return;
/* Clear buffer beyond request to avoid risk of
information disclosure. */
memset(daemon->packet + n, 0, daemon->edns_pktsz - n);
source_addr.sa.sa_family = listen->family; source_addr.sa.sa_family = listen->family;
if (listen->family == AF_INET) if (listen->family == AF_INET)
@@ -1689,6 +1693,10 @@ unsigned char *tcp_request(int confd, time_t now,
if (size < (int)sizeof(struct dns_header)) if (size < (int)sizeof(struct dns_header))
continue; continue;
/* Clear buffer beyond request to avoid risk of
information disclosure. */
memset(payload + size, 0, 65536 - size);
query_count++; query_count++;
/* log_query gets called indirectly all over the place, so /* log_query gets called indirectly all over the place, so

5
src/rfc1035.c
View File

@@ -1223,11 +1223,6 @@ size_t answer_request(struct dns_header *header, char *limit, size_t qlen,
struct mx_srv_record *rec; struct mx_srv_record *rec;
size_t len; size_t len;
/* Clear buffer beyond request to avoid risk of
information disclosure. */
memset(((char *)header) + qlen, 0,
(limit - ((char *)header)) - qlen);
if (ntohs(header->ancount) != 0 || if (ntohs(header->ancount) != 0 ||
ntohs(header->nscount) != 0 || ntohs(header->nscount) != 0 ||
ntohs(header->qdcount) == 0 || ntohs(header->qdcount) == 0 ||