Blame - meta/recipes-core/uclibc/uclibc-git/CVE-2016-2224.patch - openbmc/openbmc

blob: 218b60a85cc354953f7ea26c546ca17c52a8042e [file] [log] [blame]

Patrick Williams	f1e5d69	2016-03-30 15:21:19 -0500	[diff] [blame^]	1	From 16719c1a7078421928e6d31dd1dec574825ef515 Mon Sep 17 00:00:00 2001
				2	From: Waldemar Brodkorb <wbx@openadk.org>
				3	Date: Sun, 17 Jan 2016 15:47:22 +0100
				4	Subject: [PATCH] Do not follow compressed items forever.
				5
				6	It is possible to get stuck in an infinite loop when receiving a
				7	specially crafted DNS reply. Exit the loop after a number of iteration
				8	and consider the packet invalid.
				9
				10	Signed-off-by: Daniel Fahlgren <daniel@fahlgren.se>
				11	Signed-off-by: Waldemar Brodkorb <wbx@uclibc-ng.org>
				12
				13	Upstream-status: Backport
				14	http://repo.or.cz/uclibc-ng.git/commit/16719c1a7078421928e6d31dd1dec574825ef515
				15
				16	CVE: CVE-2016-2224
				17	Signed-off-by: Armin Kuster <akuster@mvista.com>
				18
				19	---
				20	libc/inet/resolv.c \| 5 ++++-
				21	1 file changed, 4 insertions(+), 1 deletion(-)
				22
				23	Index: git/libc/inet/resolv.c
				24	===================================================================
				25	--- git.orig/libc/inet/resolv.c
				26	+++ git/libc/inet/resolv.c
				27	@@ -666,11 +666,12 @@ int __decode_dotted(const unsigned char
				28	bool measure = 1;
				29	unsigned total = 0;
				30	unsigned used = 0;
				31	+ unsigned maxiter = 256;
				32
				33	if (!packet)
				34	return -1;
				35
				36	- while (1) {
				37	+ while (--maxiter) {
				38	if (offset >= packet_len)
				39	return -1;
				40	b = packet[offset++];
				41	@@ -707,6 +708,8 @@ int __decode_dotted(const unsigned char
				42	else
				43	dest[used++] = '\0';
				44	}
				45	+ if (!maxiter)
				46	+ return -1;
				47
				48	/* The null byte must be counted too */
				49	if (measure)