new file mode 100644

@@ -0,0 +1,358 @@

+diff -Naur dnsmasq-2.76.orig/src/dnsmasq.h dnsmasq-2.76/src/dnsmasq.h

+--- dnsmasq-2.76.orig/src/dnsmasq.h	2016-05-18 07:51:54.000000000 -0700

+@@ -1161,7 +1161,7 @@

+ u64 rand64(void);

+ int legal_hostname(char *c);

+ char *canonicalise(char *s, int *nomem);

+-unsigned char *do_rfc1035_name(unsigned char *p, char *sval);

++unsigned char *do_rfc1035_name(unsigned char *p, char *sval, char *limit);

+ void *safe_malloc(size_t size);

+ void safe_pipe(int *fd, int read_noblock);

+ void *whine_malloc(size_t size);

+diff -Naur dnsmasq-2.76.orig/src/dnssec.c dnsmasq-2.76/src/dnssec.c

+--- dnsmasq-2.76.orig/src/dnssec.c	2016-05-18 07:51:54.000000000 -0700

+@@ -2227,7 +2227,7 @@

+ 

+   p = (unsigned char *)(header+1);

+ 	

+-  p = do_rfc1035_name(p, name);

++  p = do_rfc1035_name(p, name, NULL);

+   *p++ = 0;

+   PUTSHORT(type, p);

+   PUTSHORT(class, p);

+diff -Naur dnsmasq-2.76.orig/src/edns0.c dnsmasq-2.76/src/edns0.c

+--- dnsmasq-2.76.orig/src/edns0.c	2016-05-18 07:51:54.000000000 -0700

+@@ -144,7 +144,7 @@

+ 	  GETSHORT(len, p);

+ 	  

+ 	  /* malformed option, delete the whole OPT RR and start again. */

+-	  if (i + len > rdlen)

++	  if (i + 4 + len > rdlen)

+ 	    {

+ 	      rdlen = 0;

+ 	      is_last = 0;

+@@ -159,7 +159,7 @@

+ 	      /* delete option if we're to replace it. */

+ 	      p -= 4;

+ 	      rdlen -= len + 4;

+-	      memcpy(p, p+len+4, rdlen - i);

++	      memmove(p, p+len+4, rdlen - i);

+ 	      PUTSHORT(rdlen, lenp);

+ 	      lenp -= 2;

+ 	    }

+@@ -192,7 +192,15 @@

+ 	  !(p = skip_section(p, 

+ 			     ntohs(header->ancount) + ntohs(header->nscount) + ntohs(header->arcount), 

+ 			     header, plen)))

++      {

++	free(buff);

+ 	return plen;

++      }

++      if (p + 11 > limit)

++      {

++        free(buff);

++        return plen; /* Too big */

++      }

+       *p++ = 0; /* empty name */

+       PUTSHORT(T_OPT, p);

+       PUTSHORT(udp_sz, p); /* max packet length, 512 if not given in EDNS0 header */

+@@ -204,6 +212,11 @@

+       /* Copy back any options */

+       if (buff)

+ 	{

++          if (p + rdlen > limit)

++          {

++            free(buff);

++            return plen; /* Too big */

++          }

+ 	  memcpy(p, buff, rdlen);

+ 	  free(buff);

+ 	  p += rdlen;

+@@ -217,8 +230,12 @@

+   /* Add new option */

+   if (optno != 0 && replace != 2)

+     {

++      if (p + 4 > limit)

++       return plen; /* Too big */

+       PUTSHORT(optno, p);

+       PUTSHORT(optlen, p);

++      if (p + optlen > limit)

++       return plen; /* Too big */

+       memcpy(p, opt, optlen);

+       p += optlen;  

+       PUTSHORT(p - datap, lenp);

+diff -Naur dnsmasq-2.76.orig/src/forward.c dnsmasq-2.76/src/forward.c

+--- dnsmasq-2.76.orig/src/forward.c	2016-05-18 07:51:54.000000000 -0700

+@@ -1410,6 +1410,10 @@

+ 	udp_size = daemon->edns_pktsz;

+     }

+ 

++  // Make sure the udp size is not smaller than the incoming message so that we

++  // do not underflow

++  if (udp_size < n) udp_size = n;

++

+ #ifdef HAVE_AUTH

+   if (auth_dns)

+     {

+diff -Naur dnsmasq-2.76.orig/src/option.c dnsmasq-2.76/src/option.c

+--- dnsmasq-2.76.orig/src/option.c	2016-05-18 07:51:54.000000000 -0700

+@@ -1378,7 +1378,7 @@

+ 		    }

+ 		  

+ 		  p = newp;

+-		  end = do_rfc1035_name(p + len, dom);

++		  end = do_rfc1035_name(p + len, dom, NULL);

+ 		  *end++ = 0;

+ 		  len = end - p;

+ 		  free(dom);

+diff -Naur dnsmasq-2.76.orig/src/radv.c dnsmasq-2.76/src/radv.c

+--- dnsmasq-2.76.orig/src/radv.c	2016-05-18 07:51:54.000000000 -0700

+@@ -198,6 +198,9 @@

+       /* look for link-layer address option for logging */

+       if (sz >= 16 && packet[8] == ICMP6_OPT_SOURCE_MAC && (packet[9] * 8) + 8 <= sz)

+ 	{

++	  if ((packet[9] * 8 - 2) * 3 - 1 >= MAXDNAME) {

++	    return;

++	  }

+ 	  print_mac(daemon->namebuff, &packet[10], (packet[9] * 8) - 2);

+ 	  mac = daemon->namebuff;

+ 	}

+diff -Naur dnsmasq-2.76.orig/src/rfc1035.c dnsmasq-2.76/src/rfc1035.c

+--- dnsmasq-2.76.orig/src/rfc1035.c	2016-05-18 07:51:54.000000000 -0700

+@@ -37,7 +37,7 @@

+ 	/* end marker */

+ 	{

+ 	  /* check that there are the correct no of bytes after the name */

+-	  if (!CHECK_LEN(header, p, plen, extrabytes))

++	  if (!CHECK_LEN(header, p1 ? p1 : p, plen, extrabytes))

+ 	    return 0;

+ 	  

+ 	  if (isExtract)

+@@ -485,6 +485,8 @@

+ 	    {

+ 	      unsigned int i, len = *p1;

+ 	      unsigned char *p2 = p1;

++	      if ((p1 + len - p) >= rdlen)

++	        return 0; /* bad packet */

+ 	      /* make counted string zero-term  and sanitise */

+ 	      for (i = 0; i < len; i++)

+ 		{

+@@ -1058,12 +1060,21 @@

+   unsigned short usval;

+   long lval;

+   char *sval;

++#define CHECK_LIMIT(size) \

++  if (limit && p + (size) > (unsigned char*)limit) \

++    { \

++      va_end(ap); \

++      goto truncated; \

++    }

+ 

+   if (truncp && *truncp)

+     return 0;

+- 

++

+   va_start(ap, format);   /* make ap point to 1st unamed argument */

+-  

++

++  /* nameoffset (1 or 2) + type (2) + class (2) + ttl (4) + 0 (2) */

++  CHECK_LIMIT(12);

++

+   if (nameoffset > 0)

+     {

+       PUTSHORT(nameoffset | 0xc000, p);

+@@ -1072,7 +1083,13 @@

+     {

+       char *name = va_arg(ap, char *);

+       if (name)

+-	p = do_rfc1035_name(p, name);

++	p = do_rfc1035_name(p, name, limit);

++        if (!p)

++          {

++            va_end(ap);

++            goto truncated;

++          }

++

+       if (nameoffset < 0)

+ 	{

+ 	  PUTSHORT(-nameoffset | 0xc000, p);

+@@ -1093,6 +1110,7 @@

+       {

+ #ifdef HAVE_IPV6

+       case '6':

++        CHECK_LIMIT(IN6ADDRSZ);

+ 	sval = va_arg(ap, char *); 

+ 	memcpy(p, sval, IN6ADDRSZ);

+ 	p += IN6ADDRSZ;

+@@ -1100,36 +1118,47 @@

+ #endif

+ 	

+       case '4':

++        CHECK_LIMIT(INADDRSZ);

+ 	sval = va_arg(ap, char *); 

+ 	memcpy(p, sval, INADDRSZ);

+ 	p += INADDRSZ;

+ 	break;

+ 	

+       case 'b':

++        CHECK_LIMIT(1);

+ 	usval = va_arg(ap, int);

+ 	*p++ = usval;

+ 	break;

+ 	

+       case 's':

++        CHECK_LIMIT(2);

+ 	usval = va_arg(ap, int);

+ 	PUTSHORT(usval, p);

+ 	break;

+ 	

+       case 'l':

++        CHECK_LIMIT(4);

+ 	lval = va_arg(ap, long);

+ 	PUTLONG(lval, p);

+ 	break;

+ 	

+       case 'd':

+-	/* get domain-name answer arg and store it in RDATA field */

+-	if (offset)

+-	  *offset = p - (unsigned char *)header;

+-	p = do_rfc1035_name(p, va_arg(ap, char *));

+-	*p++ = 0;

++        /* get domain-name answer arg and store it in RDATA field */

++        if (offset)

++          *offset = p - (unsigned char *)header;

++        p = do_rfc1035_name(p, va_arg(ap, char *), limit);

++        if (!p)

++          {

++            va_end(ap);

++            goto truncated;

++          }

++        CHECK_LIMIT(1);

++        *p++ = 0;

+ 	break;

+ 	

+       case 't':

+ 	usval = va_arg(ap, int);

++        CHECK_LIMIT(usval);

+ 	sval = va_arg(ap, char *);

+ 	if (usval != 0)

+ 	  memcpy(p, sval, usval);

+@@ -1141,20 +1170,24 @@

+ 	usval = sval ? strlen(sval) : 0;

+ 	if (usval > 255)

+ 	  usval = 255;

++        CHECK_LIMIT(usval + 1);

+ 	*p++ = (unsigned char)usval;

+ 	memcpy(p, sval, usval);

+ 	p += usval;

+ 	break;

+       }

+ 

++#undef CHECK_LIMIT

+   va_end(ap);	/* clean up variable argument pointer */

+   

+   j = p - sav - 2;

+-  PUTSHORT(j, sav);     /* Now, store real RDLength */

++ /* this has already been checked against limit before */

++ PUTSHORT(j, sav);     /* Now, store real RDLength */

+   

+   /* check for overflow of buffer */

+   if (limit && ((unsigned char *)limit - p) < 0)

+     {

++truncated:

+       if (truncp)

+ 	*truncp = 1;

+       return 0;

+diff -Naur dnsmasq-2.76.orig/src/rfc2131.c dnsmasq-2.76/src/rfc2131.c

+--- dnsmasq-2.76.orig/src/rfc2131.c	2016-05-18 07:51:54.000000000 -0700

+@@ -155,7 +155,7 @@

+ 	  for (offset = 0; offset < (len - 5); offset += elen + 5)

+ 	    {

+ 	      elen = option_uint(opt, offset + 4 , 1);

+-	      if (option_uint(opt, offset, 4) == BRDBAND_FORUM_IANA)

++	      if (option_uint(opt, offset, 4) == BRDBAND_FORUM_IANA && offset + elen + 5 <= len)

+ 		{

+ 		  unsigned char *x = option_ptr(opt, offset + 5);

+ 		  unsigned char *y = option_ptr(opt, offset + elen + 5);

+@@ -2419,10 +2419,10 @@

+ 

+ 	      if (fqdn_flags & 0x04)

+ 		{

+-		  p = do_rfc1035_name(p, hostname);

++		  p = do_rfc1035_name(p, hostname, NULL);

+ 		  if (domain)

+ 		    {

+-		      p = do_rfc1035_name(p, domain);

++		      p = do_rfc1035_name(p, domain, NULL);

+ 		      *p++ = 0;

+ 		    }

+ 		}

+diff -Naur dnsmasq-2.76.orig/src/rfc3315.c dnsmasq-2.76/src/rfc3315.c

+--- dnsmasq-2.76.orig/src/rfc3315.c	2016-05-18 07:51:54.000000000 -0700

+@@ -206,6 +206,9 @@

+   /* RFC-6939 */

+   if ((opt = opt6_find(opts, end, OPTION6_CLIENT_MAC, 3)))

+     {

++      if (opt6_len(opt) - 2 > DHCP_CHADDR_MAX) {

++        return 0;

++      }

+       state->mac_type = opt6_uint(opt, 0, 2);

+       state->mac_len = opt6_len(opt) - 2;

+       memcpy(&state->mac[0], opt6_ptr(opt, 2), state->mac_len);

+@@ -213,6 +216,9 @@

+   

+   for (opt = opts; opt; opt = opt6_next(opt, end))

+     {

++      if (opt6_ptr(opt, 0) + opt6_len(opt) >= end) {

++        return 0;

++      }

+       int o = new_opt6(opt6_type(opt));

+       if (opt6_type(opt) == OPTION6_RELAY_MSG)

+ 	{

+@@ -1472,10 +1478,10 @@

+       if ((p = expand(len + 2)))

+ 	{

+ 	  *(p++) = state->fqdn_flags;

+-	  p = do_rfc1035_name(p, state->hostname);

++	  p = do_rfc1035_name(p, state->hostname, NULL);

+ 	  if (state->send_domain)

+ 	    {

+-	      p = do_rfc1035_name(p, state->send_domain);

++	      p = do_rfc1035_name(p, state->send_domain, NULL);

+ 	      *p = 0;

+ 	    }

+ 	}

+diff -Naur dnsmasq-2.76.orig/src/util.c dnsmasq-2.76/src/util.c

+--- dnsmasq-2.76.orig/src/util.c	2016-05-18 07:51:54.000000000 -0700

+@@ -218,15 +218,20 @@

+   return ret;

+ }

+ 

+-unsigned char *do_rfc1035_name(unsigned char *p, char *sval)

++unsigned char *do_rfc1035_name(unsigned char *p, char *sval, char *limit)

+ {

+   int j;

+   

+   while (sval && *sval)

+     {

++      if (limit && p + 1 > (unsigned char*)limit)

++        return p;

++

+       unsigned char *cp = p++;

+       for (j = 0; *sval && (*sval != '.'); sval++, j++)

+ 	{

++          if (limit && p + 1 > (unsigned char*)limit)

++            return p;

+ #ifdef HAVE_DNSSEC

+ 	  if (option_bool(OPT_DNSSEC_VALID) && *sval == NAME_ESCAPE)

+ 	    *p++ = (*(++sval))-1;

@@ -1,7 +1,7 @@

 Summary:	DNS proxy with integrated DHCP server

 Name:		dnsmasq

 Version:	2.76

-Release:	1%{?dist}

+Release:	2%{?dist}

 License:	GPLv2 or GPLv3

 Group:		System Environment/Daemons

 URL:		http://www.thekelleys.org.uk/dnsmasq/

@@ -10,12 +10,14 @@ Source:	        %{name}-%{version}.tar.xz

 Vendor:		VMware, Inc.

 Distribution:	Photon

 Provides:	dnsmasq

+Patch0:		dnsmasq.patch

 %description

 Dnsmasq a lightweight, caching DNS proxy with integrated DHCP server.

 %prep

 %setup -q

+%patch0 -p1

 %build

 make %{?_smp_mflags}

@@ -66,6 +68,8 @@ rm -rf %{buildroot}

 %config  /usr/share/dnsmasq/trust-anchors.conf

 %changelog

+*   Wed Sep 27 2017 Alexey Makhalov <amakhalov@vmware.com> 2.76-2

+-   Fix CVE-2017-14491..CVE-2017-14496

 *   Sun Nov 27 2016 Vinay Kulkarni <kulkarniv@vmware.com> 2.76-1

 -   Upgrade to 2.76 to address CVE-2015-8899

 *   Tue May 24 2016 Priyesh Padmavilasom <ppadmavilasom@vmware.com> 2.75-2