* [meta-networking][morty][PATCH] c-ares: fix CVE-2016-5180
@ 2016-10-20 22:33 André Draszik
2016-10-20 23:38 ` akuster808
0 siblings, 1 reply; 3+ messages in thread
From: André Draszik @ 2016-10-20 22:33 UTC (permalink / raw)
To: openembedded-devel
Backport patch to fix CVE-2016-5180 from c-ares upstream:
https://c-ares.haxx.se/adv_20160929.html
Signed-off-by: André Draszik <git@andred.net>
---
.../c-ares/c-ares/CVE-2016-5180.patch | 166 +++++++++++++++++++++
.../recipes-support/c-ares/c-ares_1.11.0.bb | 1 +
2 files changed, 167 insertions(+)
create mode 100644 meta-networking/recipes-support/c-ares/c-ares/CVE-2016-5180.patch
diff --git a/meta-networking/recipes-support/c-ares/c-ares/CVE-2016-5180.patch b/meta-networking/recipes-support/c-ares/c-ares/CVE-2016-5180.patch
new file mode 100644
index 0000000..0b4fbb4
--- /dev/null
+++ b/meta-networking/recipes-support/c-ares/c-ares/CVE-2016-5180.patch
@@ -0,0 +1,166 @@
+From 115fe381c75147352d7a8d21aa3ffb85ca367219 Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Fri, 23 Sep 2016 14:44:11 +0200
+Subject: [PATCH] ares_create_query: avoid single-byte buffer overwrite
+
+... when the name ends with an escaped dot.
+
+CVE-2016-5180
+
+Bug: https://c-ares.haxx.se/adv_20160929.html
+---
+Upstream-Status: Backport [https://c-ares.haxx.se/adv_20160929.html]
+CVE: CVE-2016-5180
+Signed-off-by: André Draszik <git@andred.net>
+ ares_create_query.c | 84 +++++++++++++++++++++++++----------------------------
+ 1 file changed, 39 insertions(+), 45 deletions(-)
+
+diff --git a/ares_create_query.c b/ares_create_query.c
+index a34dda7..7f4c52d 100644
+--- a/ares_create_query.c
++++ b/ares_create_query.c
+@@ -83,61 +83,35 @@
+ * label. The list is terminated by a label of length zero (which can
+ * be thought of as the root domain).
+ */
+
+ int ares_create_query(const char *name, int dnsclass, int type,
+- unsigned short id, int rd, unsigned char **buf,
+- int *buflen, int max_udp_size)
++ unsigned short id, int rd, unsigned char **bufp,
++ int *buflenp, int max_udp_size)
+ {
+- int len;
++ size_t len;
+ unsigned char *q;
+ const char *p;
++ size_t buflen;
++ unsigned char *buf;
+
+ /* Set our results early, in case we bail out early with an error. */
+- *buflen = 0;
+- *buf = NULL;
++ *buflenp = 0;
++ *bufp = NULL;
+
+- /* Compute the length of the encoded name so we can check buflen.
+- * Start counting at 1 for the zero-length label at the end. */
+- len = 1;
+- for (p = name; *p; p++)
+- {
+- if (*p == '\\' && *(p + 1) != 0)
+- p++;
+- len++;
+- }
+- /* If there are n periods in the name, there are n + 1 labels, and
+- * thus n + 1 length fields, unless the name is empty or ends with a
+- * period. So add 1 unless name is empty or ends with a period.
++ /* Allocate a memory area for the maximum size this packet might need. +2
++ * is for the length byte and zero termination if no dots or ecscaping is
++ * used.
+ */
+- if (*name && *(p - 1) != '.')
+- len++;
+-
+- /* Immediately reject names that are longer than the maximum of 255
+- * bytes that's specified in RFC 1035 ("To simplify implementations,
+- * the total length of a domain name (i.e., label octets and label
+- * length octets) is restricted to 255 octets or less."). We aren't
+- * doing this just to be a stickler about RFCs. For names that are
+- * too long, 'dnscache' closes its TCP connection to us immediately
+- * (when using TCP) and ignores the request when using UDP, and
+- * BIND's named returns ServFail (TCP or UDP). Sending a request
+- * that we know will cause 'dnscache' to close the TCP connection is
+- * painful, since that makes any other outstanding requests on that
+- * connection fail. And sending a UDP request that we know
+- * 'dnscache' will ignore is bad because resources will be tied up
+- * until we time-out the request.
+- */
+- if (len > MAXCDNAME)
+- return ARES_EBADNAME;
+-
+- *buflen = len + HFIXEDSZ + QFIXEDSZ + (max_udp_size ? EDNSFIXEDSZ : 0);
+- *buf = ares_malloc(*buflen);
+- if (!*buf)
+- return ARES_ENOMEM;
++ len = strlen(name) + 2 + HFIXEDSZ + QFIXEDSZ +
++ (max_udp_size ? EDNSFIXEDSZ : 0);
++ buf = ares_malloc(len);
++ if (!buf)
++ return ARES_ENOMEM;
+
+ /* Set up the header. */
+- q = *buf;
++ q = buf;
+ memset(q, 0, HFIXEDSZ);
+ DNS_HEADER_SET_QID(q, id);
+ DNS_HEADER_SET_OPCODE(q, QUERY);
+ if (rd) {
+ DNS_HEADER_SET_RD(q, 1);
+@@ -157,23 +131,27 @@ int ares_create_query(const char *name, int dnsclass, int type,
+
+ /* Start writing out the name after the header. */
+ q += HFIXEDSZ;
+ while (*name)
+ {
+- if (*name == '.')
++ if (*name == '.') {
++ free (buf);
+ return ARES_EBADNAME;
++ }
+
+ /* Count the number of bytes in this label. */
+ len = 0;
+ for (p = name; *p && *p != '.'; p++)
+ {
+ if (*p == '\\' && *(p + 1) != 0)
+ p++;
+ len++;
+ }
+- if (len > MAXLABEL)
++ if (len > MAXLABEL) {
++ free (buf);
+ return ARES_EBADNAME;
++ }
+
+ /* Encode the length and copy the data. */
+ *q++ = (unsigned char)len;
+ for (p = name; *p && *p != '.'; p++)
+ {
+@@ -193,16 +171,32 @@ int ares_create_query(const char *name, int dnsclass, int type,
+
+ /* Finish off the question with the type and class. */
+ DNS_QUESTION_SET_TYPE(q, type);
+ DNS_QUESTION_SET_CLASS(q, dnsclass);
+
++ q += QFIXEDSZ;
+ if (max_udp_size)
+ {
+- q += QFIXEDSZ;
+ memset(q, 0, EDNSFIXEDSZ);
+ q++;
+ DNS_RR_SET_TYPE(q, T_OPT);
+ DNS_RR_SET_CLASS(q, max_udp_size);
++ q += (EDNSFIXEDSZ-1);
++ }
++ buflen = (q - buf);
++
++ /* Reject names that are longer than the maximum of 255 bytes that's
++ * specified in RFC 1035 ("To simplify implementations, the total length of
++ * a domain name (i.e., label octets and label length octets) is restricted
++ * to 255 octets or less."). */
++ if (buflen > (MAXCDNAME + HFIXEDSZ + QFIXEDSZ +
++ (max_udp_size ? EDNSFIXEDSZ : 0))) {
++ free (buf);
++ return ARES_EBADNAME;
+ }
+
++ /* we know this fits in an int at this point */
++ *buflenp = (int) buflen;
++ *bufp = buf;
++
+ return ARES_SUCCESS;
+ }
+--
+2.9.3
+
diff --git a/meta-networking/recipes-support/c-ares/c-ares_1.11.0.bb b/meta-networking/recipes-support/c-ares/c-ares_1.11.0.bb
index c98be7d..bea2332 100644
--- a/meta-networking/recipes-support/c-ares/c-ares_1.11.0.bb
+++ b/meta-networking/recipes-support/c-ares/c-ares_1.11.0.bb
@@ -7,6 +7,7 @@ LICENSE = "MIT"
LIC_FILES_CHKSUM = "file://ares_init.c;beginline=1;endline=3;md5=53f5ecf4c22c37cf1ddd1ef8f8eccce0"
SRC_URI = "http://c-ares.haxx.se/download/${BP}.tar.gz \
+ file://CVE-2016-5180.patch \
file://0001-configure.ac-don-t-override-passed-cflags.patch \
"
SRC_URI[md5sum] = "d5c6d522cfc54bb6f215a0b7912d46be"
--
2.9.3
^ permalink raw reply related [flat|nested] 3+ messages in thread
* Re: [meta-networking][morty][PATCH] c-ares: fix CVE-2016-5180
2016-10-20 22:33 [meta-networking][morty][PATCH] c-ares: fix CVE-2016-5180 André Draszik
@ 2016-10-20 23:38 ` akuster808
2016-10-21 8:32 ` André Draszik
0 siblings, 1 reply; 3+ messages in thread
From: akuster808 @ 2016-10-20 23:38 UTC (permalink / raw)
To: openembedded-devel
On 10/20/16 3:33 PM, André Draszik wrote:
> Backport patch to fix CVE-2016-5180 from c-ares upstream:
> https://c-ares.haxx.se/adv_20160929.html
awesome. Once this hits master I will pull it over.
Thanks,
Armin
>
> Signed-off-by: André Draszik <git@andred.net>
> ---
> .../c-ares/c-ares/CVE-2016-5180.patch | 166 +++++++++++++++++++++
> .../recipes-support/c-ares/c-ares_1.11.0.bb | 1 +
> 2 files changed, 167 insertions(+)
> create mode 100644 meta-networking/recipes-support/c-ares/c-ares/CVE-2016-5180.patch
>
> diff --git a/meta-networking/recipes-support/c-ares/c-ares/CVE-2016-5180.patch b/meta-networking/recipes-support/c-ares/c-ares/CVE-2016-5180.patch
> new file mode 100644
> index 0000000..0b4fbb4
> --- /dev/null
> +++ b/meta-networking/recipes-support/c-ares/c-ares/CVE-2016-5180.patch
> @@ -0,0 +1,166 @@
> +From 115fe381c75147352d7a8d21aa3ffb85ca367219 Mon Sep 17 00:00:00 2001
> +From: Daniel Stenberg <daniel@haxx.se>
> +Date: Fri, 23 Sep 2016 14:44:11 +0200
> +Subject: [PATCH] ares_create_query: avoid single-byte buffer overwrite
> +
> +... when the name ends with an escaped dot.
> +
> +CVE-2016-5180
> +
> +Bug: https://c-ares.haxx.se/adv_20160929.html
> +---
> +Upstream-Status: Backport [https://c-ares.haxx.se/adv_20160929.html]
> +CVE: CVE-2016-5180
> +Signed-off-by: André Draszik <git@andred.net>
> + ares_create_query.c | 84 +++++++++++++++++++++++++----------------------------
> + 1 file changed, 39 insertions(+), 45 deletions(-)
> +
> +diff --git a/ares_create_query.c b/ares_create_query.c
> +index a34dda7..7f4c52d 100644
> +--- a/ares_create_query.c
> ++++ b/ares_create_query.c
> +@@ -83,61 +83,35 @@
> + * label. The list is terminated by a label of length zero (which can
> + * be thought of as the root domain).
> + */
> +
> + int ares_create_query(const char *name, int dnsclass, int type,
> +- unsigned short id, int rd, unsigned char **buf,
> +- int *buflen, int max_udp_size)
> ++ unsigned short id, int rd, unsigned char **bufp,
> ++ int *buflenp, int max_udp_size)
> + {
> +- int len;
> ++ size_t len;
> + unsigned char *q;
> + const char *p;
> ++ size_t buflen;
> ++ unsigned char *buf;
> +
> + /* Set our results early, in case we bail out early with an error. */
> +- *buflen = 0;
> +- *buf = NULL;
> ++ *buflenp = 0;
> ++ *bufp = NULL;
> +
> +- /* Compute the length of the encoded name so we can check buflen.
> +- * Start counting at 1 for the zero-length label at the end. */
> +- len = 1;
> +- for (p = name; *p; p++)
> +- {
> +- if (*p == '\\' && *(p + 1) != 0)
> +- p++;
> +- len++;
> +- }
> +- /* If there are n periods in the name, there are n + 1 labels, and
> +- * thus n + 1 length fields, unless the name is empty or ends with a
> +- * period. So add 1 unless name is empty or ends with a period.
> ++ /* Allocate a memory area for the maximum size this packet might need. +2
> ++ * is for the length byte and zero termination if no dots or ecscaping is
> ++ * used.
> + */
> +- if (*name && *(p - 1) != '.')
> +- len++;
> +-
> +- /* Immediately reject names that are longer than the maximum of 255
> +- * bytes that's specified in RFC 1035 ("To simplify implementations,
> +- * the total length of a domain name (i.e., label octets and label
> +- * length octets) is restricted to 255 octets or less."). We aren't
> +- * doing this just to be a stickler about RFCs. For names that are
> +- * too long, 'dnscache' closes its TCP connection to us immediately
> +- * (when using TCP) and ignores the request when using UDP, and
> +- * BIND's named returns ServFail (TCP or UDP). Sending a request
> +- * that we know will cause 'dnscache' to close the TCP connection is
> +- * painful, since that makes any other outstanding requests on that
> +- * connection fail. And sending a UDP request that we know
> +- * 'dnscache' will ignore is bad because resources will be tied up
> +- * until we time-out the request.
> +- */
> +- if (len > MAXCDNAME)
> +- return ARES_EBADNAME;
> +-
> +- *buflen = len + HFIXEDSZ + QFIXEDSZ + (max_udp_size ? EDNSFIXEDSZ : 0);
> +- *buf = ares_malloc(*buflen);
> +- if (!*buf)
> +- return ARES_ENOMEM;
> ++ len = strlen(name) + 2 + HFIXEDSZ + QFIXEDSZ +
> ++ (max_udp_size ? EDNSFIXEDSZ : 0);
> ++ buf = ares_malloc(len);
> ++ if (!buf)
> ++ return ARES_ENOMEM;
> +
> + /* Set up the header. */
> +- q = *buf;
> ++ q = buf;
> + memset(q, 0, HFIXEDSZ);
> + DNS_HEADER_SET_QID(q, id);
> + DNS_HEADER_SET_OPCODE(q, QUERY);
> + if (rd) {
> + DNS_HEADER_SET_RD(q, 1);
> +@@ -157,23 +131,27 @@ int ares_create_query(const char *name, int dnsclass, int type,
> +
> + /* Start writing out the name after the header. */
> + q += HFIXEDSZ;
> + while (*name)
> + {
> +- if (*name == '.')
> ++ if (*name == '.') {
> ++ free (buf);
> + return ARES_EBADNAME;
> ++ }
> +
> + /* Count the number of bytes in this label. */
> + len = 0;
> + for (p = name; *p && *p != '.'; p++)
> + {
> + if (*p == '\\' && *(p + 1) != 0)
> + p++;
> + len++;
> + }
> +- if (len > MAXLABEL)
> ++ if (len > MAXLABEL) {
> ++ free (buf);
> + return ARES_EBADNAME;
> ++ }
> +
> + /* Encode the length and copy the data. */
> + *q++ = (unsigned char)len;
> + for (p = name; *p && *p != '.'; p++)
> + {
> +@@ -193,16 +171,32 @@ int ares_create_query(const char *name, int dnsclass, int type,
> +
> + /* Finish off the question with the type and class. */
> + DNS_QUESTION_SET_TYPE(q, type);
> + DNS_QUESTION_SET_CLASS(q, dnsclass);
> +
> ++ q += QFIXEDSZ;
> + if (max_udp_size)
> + {
> +- q += QFIXEDSZ;
> + memset(q, 0, EDNSFIXEDSZ);
> + q++;
> + DNS_RR_SET_TYPE(q, T_OPT);
> + DNS_RR_SET_CLASS(q, max_udp_size);
> ++ q += (EDNSFIXEDSZ-1);
> ++ }
> ++ buflen = (q - buf);
> ++
> ++ /* Reject names that are longer than the maximum of 255 bytes that's
> ++ * specified in RFC 1035 ("To simplify implementations, the total length of
> ++ * a domain name (i.e., label octets and label length octets) is restricted
> ++ * to 255 octets or less."). */
> ++ if (buflen > (MAXCDNAME + HFIXEDSZ + QFIXEDSZ +
> ++ (max_udp_size ? EDNSFIXEDSZ : 0))) {
> ++ free (buf);
> ++ return ARES_EBADNAME;
> + }
> +
> ++ /* we know this fits in an int at this point */
> ++ *buflenp = (int) buflen;
> ++ *bufp = buf;
> ++
> + return ARES_SUCCESS;
> + }
> +--
> +2.9.3
> +
> diff --git a/meta-networking/recipes-support/c-ares/c-ares_1.11.0.bb b/meta-networking/recipes-support/c-ares/c-ares_1.11.0.bb
> index c98be7d..bea2332 100644
> --- a/meta-networking/recipes-support/c-ares/c-ares_1.11.0.bb
> +++ b/meta-networking/recipes-support/c-ares/c-ares_1.11.0.bb
> @@ -7,6 +7,7 @@ LICENSE = "MIT"
> LIC_FILES_CHKSUM = "file://ares_init.c;beginline=1;endline=3;md5=53f5ecf4c22c37cf1ddd1ef8f8eccce0"
>
> SRC_URI = "http://c-ares.haxx.se/download/${BP}.tar.gz \
> + file://CVE-2016-5180.patch \
> file://0001-configure.ac-don-t-override-passed-cflags.patch \
> "
> SRC_URI[md5sum] = "d5c6d522cfc54bb6f215a0b7912d46be"
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [meta-networking][morty][PATCH] c-ares: fix CVE-2016-5180
2016-10-20 23:38 ` akuster808
@ 2016-10-21 8:32 ` André Draszik
0 siblings, 0 replies; 3+ messages in thread
From: André Draszik @ 2016-10-21 8:32 UTC (permalink / raw)
To: openembedded-devel
This is just the backport for morty for the CVE... Shouldn't have to wait
for master. Otherwise, I submitted a version update for master (which also
includes this fix), if that's what you mean. So could indeed use that on
morty, too. At least for me, updating to 1.12.0 didn't break other code...
Up to you :-)
Cheers,
Andre'
On Thu, 2016-10-20 at 16:38 -0700, akuster808 wrote:
> On 10/20/16 3:33 PM, André Draszik wrote:
> > Backport patch to fix CVE-2016-5180 from c-ares upstream:
> > https://c-ares.haxx.se/adv_20160929.html
>
> awesome. Once this hits master I will pull it over.
>
> Thanks,
> Armin
> >
> > Signed-off-by: André Draszik <git@andred.net>
> > ---
> > .../c-ares/c-ares/CVE-2016-5180.patch | 166
> > +++++++++++++++++++++
> > .../recipes-support/c-ares/c-ares_1.11.0.bb | 1 +
> > 2 files changed, 167 insertions(+)
> > create mode 100644 meta-networking/recipes-support/c-ares/c-ares/CVE-
> > 2016-5180.patch
> >
> > diff --git a/meta-networking/recipes-support/c-ares/c-ares/CVE-2016-
> > 5180.patch b/meta-networking/recipes-support/c-ares/c-ares/CVE-2016-
> > 5180.patch
> > new file mode 100644
> > index 0000000..0b4fbb4
> > --- /dev/null
> > +++ b/meta-networking/recipes-support/c-ares/c-ares/CVE-2016-5180.patch
> > @@ -0,0 +1,166 @@
> > +From 115fe381c75147352d7a8d21aa3ffb85ca367219 Mon Sep 17 00:00:00 2001
> > +From: Daniel Stenberg <daniel@haxx.se>
> > +Date: Fri, 23 Sep 2016 14:44:11 +0200
> > +Subject: [PATCH] ares_create_query: avoid single-byte buffer overwrite
> > +
> > +... when the name ends with an escaped dot.
> > +
> > +CVE-2016-5180
> > +
> > +Bug: https://c-ares.haxx.se/adv_20160929.html
> > +---
> > +Upstream-Status: Backport [https://c-ares.haxx.se/adv_20160929.html]
> > +CVE: CVE-2016-5180
> > +Signed-off-by: André Draszik <git@andred.net>
> > + ares_create_query.c | 84 +++++++++++++++++++++++++------------------
> > ----------
> > + 1 file changed, 39 insertions(+), 45 deletions(-)
> > +
> > +diff --git a/ares_create_query.c b/ares_create_query.c
> > +index a34dda7..7f4c52d 100644
> > +--- a/ares_create_query.c
> > ++++ b/ares_create_query.c
> > +@@ -83,61 +83,35 @@
> > + * label. The list is terminated by a label of length zero (which can
> > + * be thought of as the root domain).
> > + */
> > +
> > + int ares_create_query(const char *name, int dnsclass, int type,
> > +- unsigned short id, int rd, unsigned char **buf,
> > +- int *buflen, int max_udp_size)
> > ++ unsigned short id, int rd, unsigned char **bufp,
> > ++ int *buflenp, int max_udp_size)
> > + {
> > +- int len;
> > ++ size_t len;
> > + unsigned char *q;
> > + const char *p;
> > ++ size_t buflen;
> > ++ unsigned char *buf;
> > +
> > + /* Set our results early, in case we bail out early with an error.
> > */
> > +- *buflen = 0;
> > +- *buf = NULL;
> > ++ *buflenp = 0;
> > ++ *bufp = NULL;
> > +
> > +- /* Compute the length of the encoded name so we can check buflen.
> > +- * Start counting at 1 for the zero-length label at the end. */
> > +- len = 1;
> > +- for (p = name; *p; p++)
> > +- {
> > +- if (*p == '\\' && *(p + 1) != 0)
> > +- p++;
> > +- len++;
> > +- }
> > +- /* If there are n periods in the name, there are n + 1 labels, and
> > +- * thus n + 1 length fields, unless the name is empty or ends with a
> > +- * period. So add 1 unless name is empty or ends with a period.
> > ++ /* Allocate a memory area for the maximum size this packet might
> > need. +2
> > ++ * is for the length byte and zero termination if no dots or
> > ecscaping is
> > ++ * used.
> > + */
> > +- if (*name && *(p - 1) != '.')
> > +- len++;
> > +-
> > +- /* Immediately reject names that are longer than the maximum of 255
> > +- * bytes that's specified in RFC 1035 ("To simplify implementations,
> > +- * the total length of a domain name (i.e., label octets and label
> > +- * length octets) is restricted to 255 octets or less."). We aren't
> > +- * doing this just to be a stickler about RFCs. For names that are
> > +- * too long, 'dnscache' closes its TCP connection to us immediately
> > +- * (when using TCP) and ignores the request when using UDP, and
> > +- * BIND's named returns ServFail (TCP or UDP). Sending a request
> > +- * that we know will cause 'dnscache' to close the TCP connection is
> > +- * painful, since that makes any other outstanding requests on that
> > +- * connection fail. And sending a UDP request that we know
> > +- * 'dnscache' will ignore is bad because resources will be tied up
> > +- * until we time-out the request.
> > +- */
> > +- if (len > MAXCDNAME)
> > +- return ARES_EBADNAME;
> > +-
> > +- *buflen = len + HFIXEDSZ + QFIXEDSZ + (max_udp_size ? EDNSFIXEDSZ :
> > 0);
> > +- *buf = ares_malloc(*buflen);
> > +- if (!*buf)
> > +- return ARES_ENOMEM;
> > ++ len = strlen(name) + 2 + HFIXEDSZ + QFIXEDSZ +
> > ++ (max_udp_size ? EDNSFIXEDSZ : 0);
> > ++ buf = ares_malloc(len);
> > ++ if (!buf)
> > ++ return ARES_ENOMEM;
> > +
> > + /* Set up the header. */
> > +- q = *buf;
> > ++ q = buf;
> > + memset(q, 0, HFIXEDSZ);
> > + DNS_HEADER_SET_QID(q, id);
> > + DNS_HEADER_SET_OPCODE(q, QUERY);
> > + if (rd) {
> > + DNS_HEADER_SET_RD(q, 1);
> > +@@ -157,23 +131,27 @@ int ares_create_query(const char *name, int
> > dnsclass, int type,
> > +
> > + /* Start writing out the name after the header. */
> > + q += HFIXEDSZ;
> > + while (*name)
> > + {
> > +- if (*name == '.')
> > ++ if (*name == '.') {
> > ++ free (buf);
> > + return ARES_EBADNAME;
> > ++ }
> > +
> > + /* Count the number of bytes in this label. */
> > + len = 0;
> > + for (p = name; *p && *p != '.'; p++)
> > + {
> > + if (*p == '\\' && *(p + 1) != 0)
> > + p++;
> > + len++;
> > + }
> > +- if (len > MAXLABEL)
> > ++ if (len > MAXLABEL) {
> > ++ free (buf);
> > + return ARES_EBADNAME;
> > ++ }
> > +
> > + /* Encode the length and copy the data. */
> > + *q++ = (unsigned char)len;
> > + for (p = name; *p && *p != '.'; p++)
> > + {
> > +@@ -193,16 +171,32 @@ int ares_create_query(const char *name, int
> > dnsclass, int type,
> > +
> > + /* Finish off the question with the type and class. */
> > + DNS_QUESTION_SET_TYPE(q, type);
> > + DNS_QUESTION_SET_CLASS(q, dnsclass);
> > +
> > ++ q += QFIXEDSZ;
> > + if (max_udp_size)
> > + {
> > +- q += QFIXEDSZ;
> > + memset(q, 0, EDNSFIXEDSZ);
> > + q++;
> > + DNS_RR_SET_TYPE(q, T_OPT);
> > + DNS_RR_SET_CLASS(q, max_udp_size);
> > ++ q += (EDNSFIXEDSZ-1);
> > ++ }
> > ++ buflen = (q - buf);
> > ++
> > ++ /* Reject names that are longer than the maximum of 255 bytes that's
> > ++ * specified in RFC 1035 ("To simplify implementations, the total
> > length of
> > ++ * a domain name (i.e., label octets and label length octets) is
> > restricted
> > ++ * to 255 octets or less."). */
> > ++ if (buflen > (MAXCDNAME + HFIXEDSZ + QFIXEDSZ +
> > ++ (max_udp_size ? EDNSFIXEDSZ : 0))) {
> > ++ free (buf);
> > ++ return ARES_EBADNAME;
> > + }
> > +
> > ++ /* we know this fits in an int at this point */
> > ++ *buflenp = (int) buflen;
> > ++ *bufp = buf;
> > ++
> > + return ARES_SUCCESS;
> > + }
> > +--
> > +2.9.3
> > +
> > diff --git a/meta-networking/recipes-support/c-ares/c-ares_1.11.0.bb
> > b/meta-networking/recipes-support/c-ares/c-ares_1.11.0.bb
> > index c98be7d..bea2332 100644
> > --- a/meta-networking/recipes-support/c-ares/c-ares_1.11.0.bb
> > +++ b/meta-networking/recipes-support/c-ares/c-ares_1.11.0.bb
> > @@ -7,6 +7,7 @@ LICENSE = "MIT"
> > LIC_FILES_CHKSUM =
> > "file://ares_init.c;beginline=1;endline=3;md5=53f5ecf4c22c37cf1ddd1ef8f8
> > eccce0"
> >
> > SRC_URI = "http://c-ares.haxx.se/download/${BP}.tar.gz \
> > + file://CVE-2016-5180.patch \
> > file://0001-configure.ac-don-t-override-passed-cflags.patch
> > \
> > "
> > SRC_URI[md5sum] = "d5c6d522cfc54bb6f215a0b7912d46be"
>
>
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2016-10-21 8:32 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2016-10-20 22:33 [meta-networking][morty][PATCH] c-ares: fix CVE-2016-5180 André Draszik
2016-10-20 23:38 ` akuster808
2016-10-21 8:32 ` André Draszik
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.