Patrick Williams | f1e5d69 | 2016-03-30 15:21:19 -0500 | [diff] [blame^] | 1 | From 16719c1a7078421928e6d31dd1dec574825ef515 Mon Sep 17 00:00:00 2001 |
| 2 | From: Waldemar Brodkorb <wbx@openadk.org> |
| 3 | Date: Sun, 17 Jan 2016 15:47:22 +0100 |
| 4 | Subject: [PATCH] Do not follow compressed items forever. |
| 5 | |
| 6 | It is possible to get stuck in an infinite loop when receiving a |
| 7 | specially crafted DNS reply. Exit the loop after a number of iteration |
| 8 | and consider the packet invalid. |
| 9 | |
| 10 | Signed-off-by: Daniel Fahlgren <daniel@fahlgren.se> |
| 11 | Signed-off-by: Waldemar Brodkorb <wbx@uclibc-ng.org> |
| 12 | |
| 13 | Upstream-status: Backport |
| 14 | http://repo.or.cz/uclibc-ng.git/commit/16719c1a7078421928e6d31dd1dec574825ef515 |
| 15 | |
| 16 | CVE: CVE-2016-2224 |
| 17 | Signed-off-by: Armin Kuster <akuster@mvista.com> |
| 18 | |
| 19 | --- |
| 20 | libc/inet/resolv.c | 5 ++++- |
| 21 | 1 file changed, 4 insertions(+), 1 deletion(-) |
| 22 | |
| 23 | Index: git/libc/inet/resolv.c |
| 24 | =================================================================== |
| 25 | --- git.orig/libc/inet/resolv.c |
| 26 | +++ git/libc/inet/resolv.c |
| 27 | @@ -666,11 +666,12 @@ int __decode_dotted(const unsigned char |
| 28 | bool measure = 1; |
| 29 | unsigned total = 0; |
| 30 | unsigned used = 0; |
| 31 | + unsigned maxiter = 256; |
| 32 | |
| 33 | if (!packet) |
| 34 | return -1; |
| 35 | |
| 36 | - while (1) { |
| 37 | + while (--maxiter) { |
| 38 | if (offset >= packet_len) |
| 39 | return -1; |
| 40 | b = packet[offset++]; |
| 41 | @@ -707,6 +708,8 @@ int __decode_dotted(const unsigned char |
| 42 | else |
| 43 | dest[used++] = '\0'; |
| 44 | } |
| 45 | + if (!maxiter) |
| 46 | + return -1; |
| 47 | |
| 48 | /* The null byte must be counted too */ |
| 49 | if (measure) |