* [meta-networking][dunfell][PATCH ] dnsmasq: Fix CVE-2022-0934
@ 2022-09-21 10:04 Virendra Thakur
[not found] ` <ff26c94d-dbf0-f67c-a200-b2f2a641aba2@gmail.com>
0 siblings, 1 reply; 2+ messages in thread
From: Virendra Thakur @ 2022-09-21 10:04 UTC (permalink / raw)
To: openembedded-devel; +Cc: akuster808, Virendra Thakur
From: Virendra Thakur <virendrak@kpit.com>
Add patch to fix CVE-2022-0934
Link: https://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=patch;h=03345ecefeb0d82e3c3a4c28f27c3554f0611b39
Signed-off-by: Virendra Thakur <virendrak@kpit.com>
---
.../recipes-support/dnsmasq/dnsmasq_2.81.bb | 1 +
.../dnsmasq/files/CVE-2022-0934.patch | 188 ++++++++++++++++++
2 files changed, 189 insertions(+)
create mode 100644 meta-networking/recipes-support/dnsmasq/files/CVE-2022-0934.patch
diff --git a/meta-networking/recipes-support/dnsmasq/dnsmasq_2.81.bb b/meta-networking/recipes-support/dnsmasq/dnsmasq_2.81.bb
index 2fb389915..8db57edb7 100644
--- a/meta-networking/recipes-support/dnsmasq/dnsmasq_2.81.bb
+++ b/meta-networking/recipes-support/dnsmasq/dnsmasq_2.81.bb
@@ -11,4 +11,5 @@ SRC_URI += "\
file://CVE-2020-25686-1.patch \
file://CVE-2020-25686-2.patch \
file://CVE-2021-3448.patch \
+ file://CVE-2022-0934.patch \
"
diff --git a/meta-networking/recipes-support/dnsmasq/files/CVE-2022-0934.patch b/meta-networking/recipes-support/dnsmasq/files/CVE-2022-0934.patch
new file mode 100644
index 000000000..f14fc358b
--- /dev/null
+++ b/meta-networking/recipes-support/dnsmasq/files/CVE-2022-0934.patch
@@ -0,0 +1,188 @@
+From 03345ecefeb0d82e3c3a4c28f27c3554f0611b39 Mon Sep 17 00:00:00 2001
+From: Simon Kelley <simon@thekelleys.org.uk>
+Date: Thu, 31 Mar 2022 21:35:20 +0100
+Subject: [PATCH] Fix write-after-free error in DHCPv6 code. CVE-2022-0934
+ refers.
+
+Upstream-Status: Backport [https://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=patch;h=03345ecefeb0d82e3c3a4c28f27c3554f0611b39]
+CVE: CVE-2022-0934
+Comment: Hunk from CHANGELOG and rfc3315.c are refresh base on dnsmasq 2.81 version
+Signed-off-by: Virendra Thakur <virendra.thakur@kpit.com>
+---
+Index: dnsmasq-2.81/CHANGELOG
+===================================================================
+--- dnsmasq-2.81.orig/CHANGELOG
++++ dnsmasq-2.81/CHANGELOG
+@@ -88,6 +88,9 @@ version 2.81
+
+ Add --script-on-renewal option.
+
++ Fix write-after-free error in DHCPv6 server code.
++ CVE-2022-0934 refers.
++
+
+ version 2.80
+ Add support for RFC 4039 DHCP rapid commit. Thanks to Ashram Method
+Index: dnsmasq-2.81/src/rfc3315.c
+===================================================================
+--- dnsmasq-2.81.orig/src/rfc3315.c
++++ dnsmasq-2.81/src/rfc3315.c
+@@ -33,9 +33,9 @@ struct state {
+ unsigned int mac_len, mac_type;
+ };
+
+-static int dhcp6_maybe_relay(struct state *state, void *inbuff, size_t sz,
++static int dhcp6_maybe_relay(struct state *state, unsigned char *inbuff, size_t sz,
+ struct in6_addr *client_addr, int is_unicast, time_t now);
+-static int dhcp6_no_relay(struct state *state, int msg_type, void *inbuff, size_t sz, int is_unicast, time_t now);
++static int dhcp6_no_relay(struct state *state, int msg_type, unsigned char *inbuff, size_t sz, int is_unicast, time_t now);
+ static void log6_opts(int nest, unsigned int xid, void *start_opts, void *end_opts);
+ static void log6_packet(struct state *state, char *type, struct in6_addr *addr, char *string);
+ static void log6_quiet(struct state *state, char *type, struct in6_addr *addr, char *string);
+@@ -104,12 +104,12 @@ unsigned short dhcp6_reply(struct dhcp_c
+ }
+
+ /* This cost me blood to write, it will probably cost you blood to understand - srk. */
+-static int dhcp6_maybe_relay(struct state *state, void *inbuff, size_t sz,
++static int dhcp6_maybe_relay(struct state *state, unsigned char *inbuff, size_t sz,
+ struct in6_addr *client_addr, int is_unicast, time_t now)
+ {
+ void *end = inbuff + sz;
+ void *opts = inbuff + 34;
+- int msg_type = *((unsigned char *)inbuff);
++ int msg_type = *inbuff;
+ unsigned char *outmsgtypep;
+ void *opt;
+ struct dhcp_vendor *vendor;
+@@ -259,15 +259,15 @@ static int dhcp6_maybe_relay(struct stat
+ return 1;
+ }
+
+-static int dhcp6_no_relay(struct state *state, int msg_type, void *inbuff, size_t sz, int is_unicast, time_t now)
++static int dhcp6_no_relay(struct state *state, int msg_type, unsigned char *inbuff, size_t sz, int is_unicast, time_t now)
+ {
+ void *opt;
+- int i, o, o1, start_opts;
++ int i, o, o1, start_opts, start_msg;
+ struct dhcp_opt *opt_cfg;
+ struct dhcp_netid *tagif;
+ struct dhcp_config *config = NULL;
+ struct dhcp_netid known_id, iface_id, v6_id;
+- unsigned char *outmsgtypep;
++ unsigned char outmsgtype;
+ struct dhcp_vendor *vendor;
+ struct dhcp_context *context_tmp;
+ struct dhcp_mac *mac_opt;
+@@ -296,12 +296,13 @@ static int dhcp6_no_relay(struct state *
+ v6_id.next = state->tags;
+ state->tags = &v6_id;
+
+- /* copy over transaction-id, and save pointer to message type */
+- if (!(outmsgtypep = put_opt6(inbuff, 4)))
++ start_msg = save_counter(-1);
++ /* copy over transaction-id */
++ if (!put_opt6(inbuff, 4))
+ return 0;
+ start_opts = save_counter(-1);
+- state->xid = outmsgtypep[3] | outmsgtypep[2] << 8 | outmsgtypep[1] << 16;
+-
++ state->xid = inbuff[3] | inbuff[2] << 8 | inbuff[1] << 16;
++
+ /* We're going to be linking tags from all context we use.
+ mark them as unused so we don't link one twice and break the list */
+ for (context_tmp = state->context; context_tmp; context_tmp = context_tmp->current)
+@@ -347,7 +348,7 @@ static int dhcp6_no_relay(struct state *
+ (msg_type == DHCP6REQUEST || msg_type == DHCP6RENEW || msg_type == DHCP6RELEASE || msg_type == DHCP6DECLINE))
+
+ {
+- *outmsgtypep = DHCP6REPLY;
++ outmsgtype = DHCP6REPLY;
+ o1 = new_opt6(OPTION6_STATUS_CODE);
+ put_opt6_short(DHCP6USEMULTI);
+ put_opt6_string("Use multicast");
+@@ -619,11 +620,11 @@ static int dhcp6_no_relay(struct state *
+ struct dhcp_netid *solicit_tags;
+ struct dhcp_context *c;
+
+- *outmsgtypep = DHCP6ADVERTISE;
++ outmsgtype = DHCP6ADVERTISE;
+
+ if (opt6_find(state->packet_options, state->end, OPTION6_RAPID_COMMIT, 0))
+ {
+- *outmsgtypep = DHCP6REPLY;
++ outmsgtype = DHCP6REPLY;
+ state->lease_allocate = 1;
+ o = new_opt6(OPTION6_RAPID_COMMIT);
+ end_opt6(o);
+@@ -809,7 +810,7 @@ static int dhcp6_no_relay(struct state *
+ int start = save_counter(-1);
+
+ /* set reply message type */
+- *outmsgtypep = DHCP6REPLY;
++ outmsgtype = DHCP6REPLY;
+ state->lease_allocate = 1;
+
+ log6_quiet(state, "DHCPREQUEST", NULL, ignore ? _("ignored") : NULL);
+@@ -921,7 +922,7 @@ static int dhcp6_no_relay(struct state *
+ case DHCP6RENEW:
+ {
+ /* set reply message type */
+- *outmsgtypep = DHCP6REPLY;
++ outmsgtype = DHCP6REPLY;
+
+ log6_quiet(state, "DHCPRENEW", NULL, NULL);
+
+@@ -1033,7 +1034,7 @@ static int dhcp6_no_relay(struct state *
+ int good_addr = 0;
+
+ /* set reply message type */
+- *outmsgtypep = DHCP6REPLY;
++ outmsgtype = DHCP6REPLY;
+
+ log6_quiet(state, "DHCPCONFIRM", NULL, NULL);
+
+@@ -1097,7 +1098,7 @@ static int dhcp6_no_relay(struct state *
+ log6_quiet(state, "DHCPINFORMATION-REQUEST", NULL, ignore ? _("ignored") : state->hostname);
+ if (ignore)
+ return 0;
+- *outmsgtypep = DHCP6REPLY;
++ outmsgtype = DHCP6REPLY;
+ tagif = add_options(state, 1);
+ break;
+ }
+@@ -1106,7 +1107,7 @@ static int dhcp6_no_relay(struct state *
+ case DHCP6RELEASE:
+ {
+ /* set reply message type */
+- *outmsgtypep = DHCP6REPLY;
++ outmsgtype = DHCP6REPLY;
+
+ log6_quiet(state, "DHCPRELEASE", NULL, NULL);
+
+@@ -1171,7 +1172,7 @@ static int dhcp6_no_relay(struct state *
+ case DHCP6DECLINE:
+ {
+ /* set reply message type */
+- *outmsgtypep = DHCP6REPLY;
++ outmsgtype = DHCP6REPLY;
+
+ log6_quiet(state, "DHCPDECLINE", NULL, NULL);
+
+@@ -1251,10 +1252,15 @@ static int dhcp6_no_relay(struct state *
+ }
+
+ }
+-
++
++ /* Fill in the message type. Note that we store the offset,
++ not a direct pointer, since the packet memory may have been
++ reallocated. */
++ ((unsigned char *)(daemon->outpacket.iov_base))[start_msg] = outmsgtype;
++
+ log_tags(tagif, state->xid);
+ log6_opts(0, state->xid, daemon->outpacket.iov_base + start_opts, daemon->outpacket.iov_base + save_counter(-1));
+-
++
+ return 1;
+
+ }
--
2.17.1
This message contains information that may be privileged or confidential and is the property of the KPIT Technologies Ltd. It is intended only for the person to whom it is addressed. If you are not the intended recipient, you are not authorized to read, print, retain copy, disseminate, distribute, or use this message or any part thereof. If you receive this message in error, please notify the sender immediately and delete all copies of this message. KPIT Technologies Ltd. does not accept any liability for virus infected mails.
^ permalink raw reply related [flat|nested] 2+ messages in thread
* Re: [meta-networking][dunfell][PATCH ] dnsmasq: Fix CVE-2022-0934
[not found] ` <ff26c94d-dbf0-f67c-a200-b2f2a641aba2@gmail.com>
@ 2022-09-29 13:52 ` Virendra Kumar Thakur
0 siblings, 0 replies; 2+ messages in thread
From: Virendra Kumar Thakur @ 2022-09-29 13:52 UTC (permalink / raw)
To: akuster808, openembedded-devel
[-- Attachment #1.1: Type: text/plain, Size: 13190 bytes --]
Hi Armin,
Looks like there is some issue with the mailer . as it was observed earlier also when i submitted my patch to poky .
I am attaching here with the patch file with this can you please check.
Hope issue will not come. As with the same change i am able to build in my setup.
Sorry for inconvenience.
Best Regards
Virendra Thakur
________________________________
From: akuster808 <akuster808@gmail.com>
Sent: Thursday, September 29, 2022 6:47 PM
To: Virendra Kumar Thakur <Virendra.Thakur@kpit.com>; openembedded-devel@lists.openembedded.org <openembedded-devel@lists.openembedded.org>
Cc: Virendra Kumar Thakur <Virendra.Thakur@kpit.com>
Subject: Re: [meta-networking][dunfell][PATCH ] dnsmasq: Fix CVE-2022-0934
Caution: This email originated from outside of the KPIT. Do not click links or open attachments unless you recognize the sender and know the content is safe.
On 9/21/22 06:04, Virendra Thakur wrote:
> From: Virendra Thakur <virendrak@kpit.com>
>
> Add patch to fix CVE-2022-0934
>
> Link: https://apc01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fthekelleys.org.uk%2Fgitweb%2F%3Fp%3Ddnsmasq.git%3Ba%3Dpatch%3Bh%3D03345ecefeb0d82e3c3a4c28f27c3554f0611b39&data=05%7C01%7Cvirendra.thakur%40kpit.com%7Caefd0b7e69094f3d442008daa21ceabf%7C3539451eb46e4a26a242ff61502855c7%7C0%7C0%7C638000542342694093%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=y5Uxy%2B1s1lgqDCdoGqq9T18QgaPeBgrUqnlrMayCuBo%3D&reserved=0
This patch does not apply.
ERROR: dnsmasq-2.81-r0 do_patch: Applying patch 'CVE-2022-0934.patch' on
target directory
'/builds/stable/build/tmp/work/armv7vet2hf-neon-poky-linux-gnueabi/dnsmasq/2.81-r0/dnsmasq-2.81'
Command Error: 'quilt --quiltrc
/builds/stable/build/tmp/work/armv7vet2hf-neon-poky-linux-gnueabi/dnsmasq/2.81-r0/recipe-sysroot-native/etc/quiltrc
push' exited with 0 Output:
Applying patch CVE-2022-0934.patch
patching file CHANGELOG
Hunk #1 succeeded at 225 with fuzz 2 (offset 137 lines).
patching file src/rfc3315.c
Hunk #1 FAILED at 33.
Hunk #2 FAILED at 104.
Hunk #4 FAILED at 296.
Hunk #5 FAILED at 347.
Hunk #6 FAILED at 619.
Hunk #7 FAILED at 809.
Hunk #8 FAILED at 921.
Hunk #9 FAILED at 1033.
Hunk #10 FAILED at 1097.
Hunk #11 FAILED at 1106.
Hunk #12 FAILED at 1171.
Hunk #13 FAILED at 1251.
12 out of 13 hunks FAILED -- rejects in file src/rfc3315.c
Patch CVE-2022-0934.patch does not apply (enforce with -f)
ERROR: Logfile of failure stored in:
/builds/stable/build/tmp/work/armv7vet2hf-neon-poky-linux-gnueabi/dnsmasq/2.81-r0/temp/log.do_patch.3767721
ERROR: Task
(/builds/stable/meta-openembedded-contrib/meta-networking/recipes-support/dnsmasq/dnsmasq_2.81.bb:do_patch)
failed with exit code '1'
>
> Signed-off-by: Virendra Thakur <virendrak@kpit.com>
> ---
> .../recipes-support/dnsmasq/dnsmasq_2.81.bb | 1 +
> .../dnsmasq/files/CVE-2022-0934.patch | 188 ++++++++++++++++++
> 2 files changed, 189 insertions(+)
> create mode 100644 meta-networking/recipes-support/dnsmasq/files/CVE-2022-0934.patch
>
> diff --git a/meta-networking/recipes-support/dnsmasq/dnsmasq_2.81.bb b/meta-networking/recipes-support/dnsmasq/dnsmasq_2.81.bb
> index 2fb389915..8db57edb7 100644
> --- a/meta-networking/recipes-support/dnsmasq/dnsmasq_2.81.bb
> +++ b/meta-networking/recipes-support/dnsmasq/dnsmasq_2.81.bb
> @@ -11,4 +11,5 @@ SRC_URI += "\
> file://CVE-2020-25686-1.patch \
> file://CVE-2020-25686-2.patch \
> file://CVE-2021-3448.patch \
> + file://CVE-2022-0934.patch \
> "
> diff --git a/meta-networking/recipes-support/dnsmasq/files/CVE-2022-0934.patch b/meta-networking/recipes-support/dnsmasq/files/CVE-2022-0934.patch
> new file mode 100644
> index 000000000..f14fc358b
> --- /dev/null
> +++ b/meta-networking/recipes-support/dnsmasq/files/CVE-2022-0934.patch
> @@ -0,0 +1,188 @@
> +From 03345ecefeb0d82e3c3a4c28f27c3554f0611b39 Mon Sep 17 00:00:00 2001
> +From: Simon Kelley <simon@thekelleys.org.uk>
> +Date: Thu, 31 Mar 2022 21:35:20 +0100
> +Subject: [PATCH] Fix write-after-free error in DHCPv6 code. CVE-2022-0934
> + refers.
> +
> +Upstream-Status: Backport [https://apc01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fthekelleys.org.uk%2Fgitweb%2F%3Fp%3Ddnsmasq.git%3Ba%3Dpatch%3Bh%3D03345ecefeb0d82e3c3a4c28f27c3554f0611b39&data=05%7C01%7Cvirendra.thakur%40kpit.com%7Caefd0b7e69094f3d442008daa21ceabf%7C3539451eb46e4a26a242ff61502855c7%7C0%7C0%7C638000542342850915%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=V0PUvHu2OXcyxHXcXYJIQT36GOVYRMgog3%2FftKF90iM%3D&reserved=0]
> +CVE: CVE-2022-0934
> +Comment: Hunk from CHANGELOG and rfc3315.c are refresh base on dnsmasq 2.81 version
> +Signed-off-by: Virendra Thakur <virendra.thakur@kpit.com>
> +---
> +Index: dnsmasq-2.81/CHANGELOG
> +===================================================================
> +--- dnsmasq-2.81.orig/CHANGELOG
> ++++ dnsmasq-2.81/CHANGELOG
> +@@ -88,6 +88,9 @@ version 2.81
> +
> + Add --script-on-renewal option.
> +
> ++ Fix write-after-free error in DHCPv6 server code.
> ++ CVE-2022-0934 refers.
> ++
> +
> + version 2.80
> + Add support for RFC 4039 DHCP rapid commit. Thanks to Ashram Method
> +Index: dnsmasq-2.81/src/rfc3315.c
> +===================================================================
> +--- dnsmasq-2.81.orig/src/rfc3315.c
> ++++ dnsmasq-2.81/src/rfc3315.c
> +@@ -33,9 +33,9 @@ struct state {
> + unsigned int mac_len, mac_type;
> + };
> +
> +-static int dhcp6_maybe_relay(struct state *state, void *inbuff, size_t sz,
> ++static int dhcp6_maybe_relay(struct state *state, unsigned char *inbuff, size_t sz,
> + struct in6_addr *client_addr, int is_unicast, time_t now);
> +-static int dhcp6_no_relay(struct state *state, int msg_type, void *inbuff, size_t sz, int is_unicast, time_t now);
> ++static int dhcp6_no_relay(struct state *state, int msg_type, unsigned char *inbuff, size_t sz, int is_unicast, time_t now);
> + static void log6_opts(int nest, unsigned int xid, void *start_opts, void *end_opts);
> + static void log6_packet(struct state *state, char *type, struct in6_addr *addr, char *string);
> + static void log6_quiet(struct state *state, char *type, struct in6_addr *addr, char *string);
> +@@ -104,12 +104,12 @@ unsigned short dhcp6_reply(struct dhcp_c
> + }
> +
> + /* This cost me blood to write, it will probably cost you blood to understand - srk. */
> +-static int dhcp6_maybe_relay(struct state *state, void *inbuff, size_t sz,
> ++static int dhcp6_maybe_relay(struct state *state, unsigned char *inbuff, size_t sz,
> + struct in6_addr *client_addr, int is_unicast, time_t now)
> + {
> + void *end = inbuff + sz;
> + void *opts = inbuff + 34;
> +- int msg_type = *((unsigned char *)inbuff);
> ++ int msg_type = *inbuff;
> + unsigned char *outmsgtypep;
> + void *opt;
> + struct dhcp_vendor *vendor;
> +@@ -259,15 +259,15 @@ static int dhcp6_maybe_relay(struct stat
> + return 1;
> + }
> +
> +-static int dhcp6_no_relay(struct state *state, int msg_type, void *inbuff, size_t sz, int is_unicast, time_t now)
> ++static int dhcp6_no_relay(struct state *state, int msg_type, unsigned char *inbuff, size_t sz, int is_unicast, time_t now)
> + {
> + void *opt;
> +- int i, o, o1, start_opts;
> ++ int i, o, o1, start_opts, start_msg;
> + struct dhcp_opt *opt_cfg;
> + struct dhcp_netid *tagif;
> + struct dhcp_config *config = NULL;
> + struct dhcp_netid known_id, iface_id, v6_id;
> +- unsigned char *outmsgtypep;
> ++ unsigned char outmsgtype;
> + struct dhcp_vendor *vendor;
> + struct dhcp_context *context_tmp;
> + struct dhcp_mac *mac_opt;
> +@@ -296,12 +296,13 @@ static int dhcp6_no_relay(struct state *
> + v6_id.next = state->tags;
> + state->tags = &v6_id;
> +
> +- /* copy over transaction-id, and save pointer to message type */
> +- if (!(outmsgtypep = put_opt6(inbuff, 4)))
> ++ start_msg = save_counter(-1);
> ++ /* copy over transaction-id */
> ++ if (!put_opt6(inbuff, 4))
> + return 0;
> + start_opts = save_counter(-1);
> +- state->xid = outmsgtypep[3] | outmsgtypep[2] << 8 | outmsgtypep[1] << 16;
> +-
> ++ state->xid = inbuff[3] | inbuff[2] << 8 | inbuff[1] << 16;
> ++
> + /* We're going to be linking tags from all context we use.
> + mark them as unused so we don't link one twice and break the list */
> + for (context_tmp = state->context; context_tmp; context_tmp = context_tmp->current)
> +@@ -347,7 +348,7 @@ static int dhcp6_no_relay(struct state *
> + (msg_type == DHCP6REQUEST || msg_type == DHCP6RENEW || msg_type == DHCP6RELEASE || msg_type == DHCP6DECLINE))
> +
> + {
> +- *outmsgtypep = DHCP6REPLY;
> ++ outmsgtype = DHCP6REPLY;
> + o1 = new_opt6(OPTION6_STATUS_CODE);
> + put_opt6_short(DHCP6USEMULTI);
> + put_opt6_string("Use multicast");
> +@@ -619,11 +620,11 @@ static int dhcp6_no_relay(struct state *
> + struct dhcp_netid *solicit_tags;
> + struct dhcp_context *c;
> +
> +- *outmsgtypep = DHCP6ADVERTISE;
> ++ outmsgtype = DHCP6ADVERTISE;
> +
> + if (opt6_find(state->packet_options, state->end, OPTION6_RAPID_COMMIT, 0))
> + {
> +- *outmsgtypep = DHCP6REPLY;
> ++ outmsgtype = DHCP6REPLY;
> + state->lease_allocate = 1;
> + o = new_opt6(OPTION6_RAPID_COMMIT);
> + end_opt6(o);
> +@@ -809,7 +810,7 @@ static int dhcp6_no_relay(struct state *
> + int start = save_counter(-1);
> +
> + /* set reply message type */
> +- *outmsgtypep = DHCP6REPLY;
> ++ outmsgtype = DHCP6REPLY;
> + state->lease_allocate = 1;
> +
> + log6_quiet(state, "DHCPREQUEST", NULL, ignore ? _("ignored") : NULL);
> +@@ -921,7 +922,7 @@ static int dhcp6_no_relay(struct state *
> + case DHCP6RENEW:
> + {
> + /* set reply message type */
> +- *outmsgtypep = DHCP6REPLY;
> ++ outmsgtype = DHCP6REPLY;
> +
> + log6_quiet(state, "DHCPRENEW", NULL, NULL);
> +
> +@@ -1033,7 +1034,7 @@ static int dhcp6_no_relay(struct state *
> + int good_addr = 0;
> +
> + /* set reply message type */
> +- *outmsgtypep = DHCP6REPLY;
> ++ outmsgtype = DHCP6REPLY;
> +
> + log6_quiet(state, "DHCPCONFIRM", NULL, NULL);
> +
> +@@ -1097,7 +1098,7 @@ static int dhcp6_no_relay(struct state *
> + log6_quiet(state, "DHCPINFORMATION-REQUEST", NULL, ignore ? _("ignored") : state->hostname);
> + if (ignore)
> + return 0;
> +- *outmsgtypep = DHCP6REPLY;
> ++ outmsgtype = DHCP6REPLY;
> + tagif = add_options(state, 1);
> + break;
> + }
> +@@ -1106,7 +1107,7 @@ static int dhcp6_no_relay(struct state *
> + case DHCP6RELEASE:
> + {
> + /* set reply message type */
> +- *outmsgtypep = DHCP6REPLY;
> ++ outmsgtype = DHCP6REPLY;
> +
> + log6_quiet(state, "DHCPRELEASE", NULL, NULL);
> +
> +@@ -1171,7 +1172,7 @@ static int dhcp6_no_relay(struct state *
> + case DHCP6DECLINE:
> + {
> + /* set reply message type */
> +- *outmsgtypep = DHCP6REPLY;
> ++ outmsgtype = DHCP6REPLY;
> +
> + log6_quiet(state, "DHCPDECLINE", NULL, NULL);
> +
> +@@ -1251,10 +1252,15 @@ static int dhcp6_no_relay(struct state *
> + }
> +
> + }
> +-
> ++
> ++ /* Fill in the message type. Note that we store the offset,
> ++ not a direct pointer, since the packet memory may have been
> ++ reallocated. */
> ++ ((unsigned char *)(daemon->outpacket.iov_base))[start_msg] = outmsgtype;
> ++
> + log_tags(tagif, state->xid);
> + log6_opts(0, state->xid, daemon->outpacket.iov_base + start_opts, daemon->outpacket.iov_base + save_counter(-1));
> +-
> ++
> + return 1;
> +
> + }
> --
> 2.17.1
>
> This message contains information that may be privileged or confidential and is the property of the KPIT Technologies Ltd. It is intended only for the person to whom it is addressed. If you are not the intended recipient, you are not authorized to read, print, retain copy, disseminate, distribute, or use this message or any part thereof. If you receive this message in error, please notify the sender immediately and delete all copies of this message. KPIT Technologies Ltd. does not accept any liability for virus infected mails.
This message contains information that may be privileged or confidential and is the property of the KPIT Technologies Ltd. It is intended only for the person to whom it is addressed. If you are not the intended recipient, you are not authorized to read, print, retain copy, disseminate, distribute, or use this message or any part thereof. If you receive this message in error, please notify the sender immediately and delete all copies of this message. KPIT Technologies Ltd. does not accept any liability for virus infected mails.
[-- Attachment #1.2: Type: text/html, Size: 21623 bytes --]
[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #2: 0001-dnsmasq-Fix-CVE-2022-0934.patch --]
[-- Type: text/x-patch; name="0001-dnsmasq-Fix-CVE-2022-0934.patch", Size: 8384 bytes --]
From 55d2ec795789ef82f95120670470866a0a3db91c Mon Sep 17 00:00:00 2001
From: Virendra Thakur <virendrak@kpit.com>
Date: Wed, 14 Sep 2022 20:34:26 +0530
Subject: [PATCH] dnsmasq: Fix CVE-2022-0934
Add patch to fix CVE-2022-0934
Link: https://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=patch;h=03345ecefeb0d82e3c3a4c28f27c3554f0611b39
Signed-off-by: Virendra Thakur <virendrak@kpit.com>
---
.../recipes-support/dnsmasq/dnsmasq_2.81.bb | 1 +
.../dnsmasq/files/CVE-2022-0934.patch | 188 ++++++++++++++++++
2 files changed, 189 insertions(+)
create mode 100644 meta-networking/recipes-support/dnsmasq/files/CVE-2022-0934.patch
diff --git a/meta-networking/recipes-support/dnsmasq/dnsmasq_2.81.bb b/meta-networking/recipes-support/dnsmasq/dnsmasq_2.81.bb
index 2fb389915..8db57edb7 100644
--- a/meta-networking/recipes-support/dnsmasq/dnsmasq_2.81.bb
+++ b/meta-networking/recipes-support/dnsmasq/dnsmasq_2.81.bb
@@ -11,4 +11,5 @@ SRC_URI += "\
file://CVE-2020-25686-1.patch \
file://CVE-2020-25686-2.patch \
file://CVE-2021-3448.patch \
+ file://CVE-2022-0934.patch \
"
diff --git a/meta-networking/recipes-support/dnsmasq/files/CVE-2022-0934.patch b/meta-networking/recipes-support/dnsmasq/files/CVE-2022-0934.patch
new file mode 100644
index 000000000..f14fc358b
--- /dev/null
+++ b/meta-networking/recipes-support/dnsmasq/files/CVE-2022-0934.patch
@@ -0,0 +1,188 @@
+From 03345ecefeb0d82e3c3a4c28f27c3554f0611b39 Mon Sep 17 00:00:00 2001
+From: Simon Kelley <simon@thekelleys.org.uk>
+Date: Thu, 31 Mar 2022 21:35:20 +0100
+Subject: [PATCH] Fix write-after-free error in DHCPv6 code. CVE-2022-0934
+ refers.
+
+Upstream-Status: Backport [https://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=patch;h=03345ecefeb0d82e3c3a4c28f27c3554f0611b39]
+CVE: CVE-2022-0934
+Comment: Hunk from CHANGELOG and rfc3315.c are refresh base on dnsmasq 2.81 version
+Signed-off-by: Virendra Thakur <virendra.thakur@kpit.com>
+---
+Index: dnsmasq-2.81/CHANGELOG
+===================================================================
+--- dnsmasq-2.81.orig/CHANGELOG
++++ dnsmasq-2.81/CHANGELOG
+@@ -88,6 +88,9 @@ version 2.81
+
+ Add --script-on-renewal option.
+
++ Fix write-after-free error in DHCPv6 server code.
++ CVE-2022-0934 refers.
++
+
+ version 2.80
+ Add support for RFC 4039 DHCP rapid commit. Thanks to Ashram Method
+Index: dnsmasq-2.81/src/rfc3315.c
+===================================================================
+--- dnsmasq-2.81.orig/src/rfc3315.c
++++ dnsmasq-2.81/src/rfc3315.c
+@@ -33,9 +33,9 @@ struct state {
+ unsigned int mac_len, mac_type;
+ };
+
+-static int dhcp6_maybe_relay(struct state *state, void *inbuff, size_t sz,
++static int dhcp6_maybe_relay(struct state *state, unsigned char *inbuff, size_t sz,
+ struct in6_addr *client_addr, int is_unicast, time_t now);
+-static int dhcp6_no_relay(struct state *state, int msg_type, void *inbuff, size_t sz, int is_unicast, time_t now);
++static int dhcp6_no_relay(struct state *state, int msg_type, unsigned char *inbuff, size_t sz, int is_unicast, time_t now);
+ static void log6_opts(int nest, unsigned int xid, void *start_opts, void *end_opts);
+ static void log6_packet(struct state *state, char *type, struct in6_addr *addr, char *string);
+ static void log6_quiet(struct state *state, char *type, struct in6_addr *addr, char *string);
+@@ -104,12 +104,12 @@ unsigned short dhcp6_reply(struct dhcp_c
+ }
+
+ /* This cost me blood to write, it will probably cost you blood to understand - srk. */
+-static int dhcp6_maybe_relay(struct state *state, void *inbuff, size_t sz,
++static int dhcp6_maybe_relay(struct state *state, unsigned char *inbuff, size_t sz,
+ struct in6_addr *client_addr, int is_unicast, time_t now)
+ {
+ void *end = inbuff + sz;
+ void *opts = inbuff + 34;
+- int msg_type = *((unsigned char *)inbuff);
++ int msg_type = *inbuff;
+ unsigned char *outmsgtypep;
+ void *opt;
+ struct dhcp_vendor *vendor;
+@@ -259,15 +259,15 @@ static int dhcp6_maybe_relay(struct stat
+ return 1;
+ }
+
+-static int dhcp6_no_relay(struct state *state, int msg_type, void *inbuff, size_t sz, int is_unicast, time_t now)
++static int dhcp6_no_relay(struct state *state, int msg_type, unsigned char *inbuff, size_t sz, int is_unicast, time_t now)
+ {
+ void *opt;
+- int i, o, o1, start_opts;
++ int i, o, o1, start_opts, start_msg;
+ struct dhcp_opt *opt_cfg;
+ struct dhcp_netid *tagif;
+ struct dhcp_config *config = NULL;
+ struct dhcp_netid known_id, iface_id, v6_id;
+- unsigned char *outmsgtypep;
++ unsigned char outmsgtype;
+ struct dhcp_vendor *vendor;
+ struct dhcp_context *context_tmp;
+ struct dhcp_mac *mac_opt;
+@@ -296,12 +296,13 @@ static int dhcp6_no_relay(struct state *
+ v6_id.next = state->tags;
+ state->tags = &v6_id;
+
+- /* copy over transaction-id, and save pointer to message type */
+- if (!(outmsgtypep = put_opt6(inbuff, 4)))
++ start_msg = save_counter(-1);
++ /* copy over transaction-id */
++ if (!put_opt6(inbuff, 4))
+ return 0;
+ start_opts = save_counter(-1);
+- state->xid = outmsgtypep[3] | outmsgtypep[2] << 8 | outmsgtypep[1] << 16;
+-
++ state->xid = inbuff[3] | inbuff[2] << 8 | inbuff[1] << 16;
++
+ /* We're going to be linking tags from all context we use.
+ mark them as unused so we don't link one twice and break the list */
+ for (context_tmp = state->context; context_tmp; context_tmp = context_tmp->current)
+@@ -347,7 +348,7 @@ static int dhcp6_no_relay(struct state *
+ (msg_type == DHCP6REQUEST || msg_type == DHCP6RENEW || msg_type == DHCP6RELEASE || msg_type == DHCP6DECLINE))
+
+ {
+- *outmsgtypep = DHCP6REPLY;
++ outmsgtype = DHCP6REPLY;
+ o1 = new_opt6(OPTION6_STATUS_CODE);
+ put_opt6_short(DHCP6USEMULTI);
+ put_opt6_string("Use multicast");
+@@ -619,11 +620,11 @@ static int dhcp6_no_relay(struct state *
+ struct dhcp_netid *solicit_tags;
+ struct dhcp_context *c;
+
+- *outmsgtypep = DHCP6ADVERTISE;
++ outmsgtype = DHCP6ADVERTISE;
+
+ if (opt6_find(state->packet_options, state->end, OPTION6_RAPID_COMMIT, 0))
+ {
+- *outmsgtypep = DHCP6REPLY;
++ outmsgtype = DHCP6REPLY;
+ state->lease_allocate = 1;
+ o = new_opt6(OPTION6_RAPID_COMMIT);
+ end_opt6(o);
+@@ -809,7 +810,7 @@ static int dhcp6_no_relay(struct state *
+ int start = save_counter(-1);
+
+ /* set reply message type */
+- *outmsgtypep = DHCP6REPLY;
++ outmsgtype = DHCP6REPLY;
+ state->lease_allocate = 1;
+
+ log6_quiet(state, "DHCPREQUEST", NULL, ignore ? _("ignored") : NULL);
+@@ -921,7 +922,7 @@ static int dhcp6_no_relay(struct state *
+ case DHCP6RENEW:
+ {
+ /* set reply message type */
+- *outmsgtypep = DHCP6REPLY;
++ outmsgtype = DHCP6REPLY;
+
+ log6_quiet(state, "DHCPRENEW", NULL, NULL);
+
+@@ -1033,7 +1034,7 @@ static int dhcp6_no_relay(struct state *
+ int good_addr = 0;
+
+ /* set reply message type */
+- *outmsgtypep = DHCP6REPLY;
++ outmsgtype = DHCP6REPLY;
+
+ log6_quiet(state, "DHCPCONFIRM", NULL, NULL);
+
+@@ -1097,7 +1098,7 @@ static int dhcp6_no_relay(struct state *
+ log6_quiet(state, "DHCPINFORMATION-REQUEST", NULL, ignore ? _("ignored") : state->hostname);
+ if (ignore)
+ return 0;
+- *outmsgtypep = DHCP6REPLY;
++ outmsgtype = DHCP6REPLY;
+ tagif = add_options(state, 1);
+ break;
+ }
+@@ -1106,7 +1107,7 @@ static int dhcp6_no_relay(struct state *
+ case DHCP6RELEASE:
+ {
+ /* set reply message type */
+- *outmsgtypep = DHCP6REPLY;
++ outmsgtype = DHCP6REPLY;
+
+ log6_quiet(state, "DHCPRELEASE", NULL, NULL);
+
+@@ -1171,7 +1172,7 @@ static int dhcp6_no_relay(struct state *
+ case DHCP6DECLINE:
+ {
+ /* set reply message type */
+- *outmsgtypep = DHCP6REPLY;
++ outmsgtype = DHCP6REPLY;
+
+ log6_quiet(state, "DHCPDECLINE", NULL, NULL);
+
+@@ -1251,10 +1252,15 @@ static int dhcp6_no_relay(struct state *
+ }
+
+ }
+-
++
++ /* Fill in the message type. Note that we store the offset,
++ not a direct pointer, since the packet memory may have been
++ reallocated. */
++ ((unsigned char *)(daemon->outpacket.iov_base))[start_msg] = outmsgtype;
++
+ log_tags(tagif, state->xid);
+ log6_opts(0, state->xid, daemon->outpacket.iov_base + start_opts, daemon->outpacket.iov_base + save_counter(-1));
+-
++
+ return 1;
+
+ }
--
2.17.1
^ permalink raw reply related [flat|nested] 2+ messages in thread
end of thread, other threads:[~2022-09-29 13:52 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2022-09-21 10:04 [meta-networking][dunfell][PATCH ] dnsmasq: Fix CVE-2022-0934 Virendra Thakur
[not found] ` <ff26c94d-dbf0-f67c-a200-b2f2a641aba2@gmail.com>
2022-09-29 13:52 ` Virendra Kumar Thakur
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.