4398
|
1 |
Upstream patch to address CVE-2015-3294.
|
|
2 |
|
|
3 |
From ad4a8ff7d9097008d7623df8543df435bfddeac8 Mon Sep 17 00:00:00 2001
|
|
4 |
From: Simon Kelley <[email protected]>
|
|
5 |
Date: Thu, 9 Apr 2015 21:48:00 +0100
|
|
6 |
Subject: [PATCH] Fix crash on receipt of certain malformed DNS requests.
|
|
7 |
|
|
8 |
---
|
|
9 |
CHANGELOG | 3 +++
|
|
10 |
src/rfc1035.c | 9 ++++++---
|
|
11 |
2 files changed, 9 insertions(+), 3 deletions(-)
|
|
12 |
|
|
13 |
diff --git a/CHANGELOG b/CHANGELOG
|
|
14 |
index 6aa3d85..9af6170 100644
|
|
15 |
|
|
16 |
--- a/CHANGELOG
|
|
17 |
+++ b/CHANGELOG
|
|
18 |
@@ -125,6 +125,9 @@ version 2.72
|
|
19 |
Fix problem with --local-service option on big-endian platforms
|
|
20 |
Thanks to Richard Genoud for the patch.
|
|
21 |
|
|
22 |
+ Fix crash on receipt of certain malformed DNS requests. Thanks
|
|
23 |
+ to Nick Sampanis for spotting the problem.
|
|
24 |
+
|
|
25 |
|
|
26 |
version 2.71
|
|
27 |
Subtle change to error handling to help DNSSEC validation
|
|
28 |
diff --git a/src/rfc1035.c b/src/rfc1035.c
|
|
29 |
index 7a07b0c..a995ab5 100644
|
|
30 |
--- a/src/rfc1035.c
|
|
31 |
+++ b/src/rfc1035.c
|
|
32 |
@@ -1198,7 +1198,10 @@ unsigned int extract_request(struct dns_header *header, size_t qlen, char *name,
|
|
33 |
size_t setup_reply(struct dns_header *header, size_t qlen,
|
|
34 |
struct all_addr *addrp, unsigned int flags, unsigned long ttl)
|
|
35 |
{
|
|
36 |
- unsigned char *p = skip_questions(header, qlen);
|
|
37 |
+ unsigned char *p;
|
|
38 |
+
|
|
39 |
+ if (!(p = skip_questions(header, qlen)))
|
|
40 |
+ return 0;
|
|
41 |
|
|
42 |
/* clear authoritative and truncated flags, set QR flag */
|
|
43 |
header->hb3 = (header->hb3 & ~(HB3_AA | HB3_TC)) | HB3_QR;
|
|
44 |
@@ -1214,7 +1217,7 @@ size_t setup_reply(struct dns_header *header, size_t qlen,
|
|
45 |
SET_RCODE(header, NOERROR); /* empty domain */
|
|
46 |
else if (flags == F_NXDOMAIN)
|
|
47 |
SET_RCODE(header, NXDOMAIN);
|
|
48 |
- else if (p && flags == F_IPV4)
|
|
49 |
+ else if (flags == F_IPV4)
|
|
50 |
{ /* we know the address */
|
|
51 |
SET_RCODE(header, NOERROR);
|
|
52 |
header->ancount = htons(1);
|
|
53 |
@@ -1222,7 +1225,7 @@ size_t setup_reply(struct dns_header *header, size_t qlen,
|
|
54 |
add_resource_record(header, NULL, NULL, sizeof(struct dns_header), &p, ttl, NULL, T_A, C_IN, "4", addrp);
|
|
55 |
}
|
|
56 |
#ifdef HAVE_IPV6
|
|
57 |
- else if (p && flags == F_IPV6)
|
|
58 |
+ else if (flags == F_IPV6)
|
|
59 |
{
|
|
60 |
SET_RCODE(header, NOERROR);
|
|
61 |
header->ancount = htons(1)
|
|
62 |
--
|
|
63 |
1.7.10.4
|
|
64 |
|