yocto-poky/meta/recipes-core/uclibc/uclibc-git/CVE-2016-2224.patch - openbmc/openbmc - Gitiles

 From 16719c1a7078421928e6d31dd1dec574825ef515 Mon Sep 17 00:00:00 2001
 From: Waldemar Brodkorb <wbx@openadk.org>
 Date: Sun, 17 Jan 2016 15:47:22 +0100
 Subject: [PATCH] Do not follow compressed items forever.

 It is possible to get stuck in an infinite loop when receiving a
 specially crafted DNS reply. Exit the loop after a number of iteration
 and consider the packet invalid.

 Signed-off-by: Daniel Fahlgren <daniel@fahlgren.se>
 Signed-off-by: Waldemar Brodkorb <wbx@uclibc-ng.org>

 Upstream-status: Backport
 http://repo.or.cz/uclibc-ng.git/commit/16719c1a7078421928e6d31dd1dec574825ef515

 CVE: CVE-2016-2224
 Signed-off-by: Armin Kuster <akuster@mvista.com>

 ---
  libc/inet/resolv.c | 5 ++++-
  1 file changed, 4 insertions(+), 1 deletion(-)

 Index: git/libc/inet/resolv.c
 ===================================================================
 --- git.orig/libc/inet/resolv.c
 +++ git/libc/inet/resolv.c
 @@ -666,11 +666,12 @@ int __decode_dotted(const unsigned char
  	bool measure = 1;
  	unsigned total = 0;
  	unsigned used = 0;
 +	unsigned maxiter = 256;

  	if (!packet)
  		return -1;

 -	while (1) {
 +	while (--maxiter) {
  		if (offset >= packet_len)
  			return -1;
  		b = packet[offset++];
 @@ -707,6 +708,8 @@ int __decode_dotted(const unsigned char
  		else
  			dest[used++] = '\0';
  	}
 +	if (!maxiter)
 +		return -1;

  	/* The null byte must be counted too */
  	if (measure)
	From 16719c1a7078421928e6d31dd1dec574825ef515 Mon Sep 17 00:00:00 2001
	From: Waldemar Brodkorb <wbx@openadk.org>
	Date: Sun, 17 Jan 2016 15:47:22 +0100
	Subject: [PATCH] Do not follow compressed items forever.

	It is possible to get stuck in an infinite loop when receiving a
	specially crafted DNS reply. Exit the loop after a number of iteration
	and consider the packet invalid.

	Signed-off-by: Daniel Fahlgren <daniel@fahlgren.se>
	Signed-off-by: Waldemar Brodkorb <wbx@uclibc-ng.org>

	Upstream-status: Backport
	http://repo.or.cz/uclibc-ng.git/commit/16719c1a7078421928e6d31dd1dec574825ef515

	CVE: CVE-2016-2224
	Signed-off-by: Armin Kuster <akuster@mvista.com>

	---
	libc/inet/resolv.c \| 5 ++++-
	1 file changed, 4 insertions(+), 1 deletion(-)

	Index: git/libc/inet/resolv.c
	===================================================================
	--- git.orig/libc/inet/resolv.c
	+++ git/libc/inet/resolv.c
	@@ -666,11 +666,12 @@ int __decode_dotted(const unsigned char
	bool measure = 1;
	unsigned total = 0;
	unsigned used = 0;
	+ unsigned maxiter = 256;

	if (!packet)
	return -1;

	- while (1) {
	+ while (--maxiter) {
	if (offset >= packet_len)
	return -1;
	b = packet[offset++];
	@@ -707,6 +708,8 @@ int __decode_dotted(const unsigned char
	else
	dest[used++] = '\0';
	}
	+ if (!maxiter)
	+ return -1;

	/* The null byte must be counted too */
	if (measure)