| From 16719c1a7078421928e6d31dd1dec574825ef515 Mon Sep 17 00:00:00 2001 |
| From: Waldemar Brodkorb <wbx@openadk.org> |
| Date: Sun, 17 Jan 2016 15:47:22 +0100 |
| Subject: [PATCH] Do not follow compressed items forever. |
| |
| It is possible to get stuck in an infinite loop when receiving a |
| specially crafted DNS reply. Exit the loop after a number of iteration |
| and consider the packet invalid. |
| |
| Signed-off-by: Daniel Fahlgren <daniel@fahlgren.se> |
| Signed-off-by: Waldemar Brodkorb <wbx@uclibc-ng.org> |
| |
| Upstream-status: Backport |
| http://repo.or.cz/uclibc-ng.git/commit/16719c1a7078421928e6d31dd1dec574825ef515 |
| |
| CVE: CVE-2016-2224 |
| Signed-off-by: Armin Kuster <akuster@mvista.com> |
| |
| --- |
| libc/inet/resolv.c | 5 ++++- |
| 1 file changed, 4 insertions(+), 1 deletion(-) |
| |
| Index: git/libc/inet/resolv.c |
| =================================================================== |
| --- git.orig/libc/inet/resolv.c |
| +++ git/libc/inet/resolv.c |
| @@ -666,11 +666,12 @@ int __decode_dotted(const unsigned char |
| bool measure = 1; |
| unsigned total = 0; |
| unsigned used = 0; |
| + unsigned maxiter = 256; |
| |
| if (!packet) |
| return -1; |
| |
| - while (1) { |
| + while (--maxiter) { |
| if (offset >= packet_len) |
| return -1; |
| b = packet[offset++]; |
| @@ -707,6 +708,8 @@ int __decode_dotted(const unsigned char |
| else |
| dest[used++] = '\0'; |
| } |
| + if (!maxiter) |
| + return -1; |
| |
| /* The null byte must be counted too */ |
| if (measure) |