| From d474ffc68290e0a83651c4432eeabfa62cd51e87 Mon Sep 17 00:00:00 2001 |
| From: Denys Vlasenko <vda.linux@googlemail.com> |
| Date: Thu, 10 Mar 2016 11:47:58 +0100 |
| Subject: [PATCH] udhcp: fix a SEGV on malformed RFC1035-encoded domain name |
| |
| Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com> |
| |
| Upstream-Status: Backport |
| CVE: CVE-2016-2147 |
| |
| https://git.busybox.net/busybox/commit/?id=d474ffc |
| Signed-off-by: Armin Kuster <akuster@mvista.com> |
| |
| --- |
| networking/udhcp/domain_codec.c | 13 +++++++++---- |
| 1 file changed, 9 insertions(+), 4 deletions(-) |
| |
| Index: busybox-1.23.2/networking/udhcp/domain_codec.c |
| =================================================================== |
| --- busybox-1.23.2.orig/networking/udhcp/domain_codec.c |
| +++ busybox-1.23.2/networking/udhcp/domain_codec.c |
| @@ -63,11 +63,10 @@ char* FAST_FUNC dname_dec(const uint8_t |
| if (crtpos + *c + 1 > clen) /* label too long? abort */ |
| return NULL; |
| if (dst) |
| - memcpy(dst + len, c + 1, *c); |
| + /* \3com ---> "com." */ |
| + ((char*)mempcpy(dst + len, c + 1, *c))[0] = '.'; |
| len += *c + 1; |
| crtpos += *c + 1; |
| - if (dst) |
| - dst[len - 1] = '.'; |
| } else { |
| /* NUL: end of current domain name */ |
| if (retpos == 0) { |
| @@ -78,7 +77,10 @@ char* FAST_FUNC dname_dec(const uint8_t |
| crtpos = retpos; |
| retpos = depth = 0; |
| } |
| - if (dst) |
| + if (dst && len != 0) |
| + /* \4host\3com\0\4host and we are at \0: |
| + * \3com was converted to "com.", change dot to space. |
| + */ |
| dst[len - 1] = ' '; |
| } |
| |
| @@ -228,6 +230,9 @@ int main(int argc, char **argv) |
| int len; |
| uint8_t *encoded; |
| |
| + uint8_t str[6] = { 0x00, 0x00, 0x02, 0x65, 0x65, 0x00 }; |
| + printf("NUL:'%s'\n", dname_dec(str, 6, "")); |
| + |
| #define DNAME_DEC(encoded,pre) dname_dec((uint8_t*)(encoded), sizeof(encoded), (pre)) |
| printf("'%s'\n", DNAME_DEC("\4host\3com\0", "test1:")); |
| printf("test2:'%s'\n", DNAME_DEC("\4host\3com\0\4host\3com\0", "")); |