1. photon
  2. Commit a4ad133e783a04bea3e5074bbca61f5a3fa394b2
Browse code

Apply patch for CVE-2016-5180. (bug 1740140 Vulnerability CVE-2016-5180)

Change-Id: I0ebe5891df20f3db5aca063845898562ae79d31d
Reviewed-on: http://photon-jenkins.eng.vmware.com:8082/1485
Tested-by: gerrit-photon <photon-checkins@vmware.com>
Reviewed-by: Sharath George
(cherry picked from commit f9a319e448afb5830ca9571c71a0b18d8711a4c1)
Reviewed-on: http://photon-jenkins.eng.vmware.com:8082/1498
Reviewed-by: suezzelur <anishs@vmware.com>

xiaolin-vmware authored on 2016/10/06 04:43:29
Showing 2 changed files
SPECS/c-ares/CVE-2016-5180.patch
History View file @ a4ad133
1 1 
new file mode 100644
... ... 
@@ -0,0 +1,144 @@
0 
+From 115fe381c75147352d7a8d21aa3ffb85ca367219 Mon Sep 17 00:00:00 2001
1 
+From: Daniel Stenberg <daniel@haxx.se>
2 
+Date: Fri, 23 Sep 2016 14:44:11 +0200
3 
+Subject: [PATCH] ares_create_query: avoid single-byte buffer overwrite
4 
+
5 
+... when the name ends with an escaped dot.
6 
+
7 
+CVE-2016-5180
8 
+
9 
+Bug: https://c-ares.haxx.se/adv_20160929.html
10 
+diff --git a/ares_create_query.c b/ares_create_query.c
11 
+index 8624e2f..abae64a 100644
12 
+--- a/ares_create_query.c
13 
+@@ -85,57 +85,31 @@
14 
+  */
15 
+
16 
+ int ares_create_query(const char *name, int dnsclass, int type,
17 
+-                      unsigned short id, int rd, unsigned char **buf,
18 
+-                      int *buflen, int max_udp_size)
19 
++                      unsigned short id, int rd, unsigned char **bufp,
20 
++                      int *buflenp, int max_udp_size)
21 
+ {
22 
+-  int len;
23 
++  size_t len;
24 
+   unsigned char *q;
25 
+   const char *p;
26 
++  size_t buflen;
27 
++  unsigned char *buf;
28 
+
29 
+   /* Set our results early, in case we bail out early with an error. */
30 
+-  *buflen = 0;
31 
+-  *buf = NULL;
32 
++  *buflenp = 0;
33 
++  *bufp = NULL;
34 
+
35 
+-  /* Compute the length of the encoded name so we can check buflen.
36 
+-   * Start counting at 1 for the zero-length label at the end. */
37 
+-  len = 1;
38 
+-  for (p = name; *p; p++)
39 
+-    {
40 
+-      if (*p == '\\' && *(p + 1) != 0)
41 
+-        p++;
42 
+-      len++;
43 
+-    }
44 
+-  /* If there are n periods in the name, there are n + 1 labels, and
45 
+-   * thus n + 1 length fields, unless the name is empty or ends with a
46 
+-   * period.  So add 1 unless name is empty or ends with a period.
47 
++  /* Allocate a memory area for the maximum size this packet might need. +2
48 
++   * is for the length byte and zero termination if no dots or ecscaping is
49 
++   * used.
50 
+    */
51 
+-  if (*name && *(p - 1) != '.')
52 
+-    len++;
53 
+-
54 
+-  /* Immediately reject names that are longer than the maximum of 255
55 
+-   * bytes that's specified in RFC 1035 ("To simplify implementations,
56 
+-   * the total length of a domain name (i.e., label octets and label
57 
+-   * length octets) is restricted to 255 octets or less."). We aren't
58 
+-   * doing this just to be a stickler about RFCs. For names that are
59 
+-   * too long, 'dnscache' closes its TCP connection to us immediately
60 
+-   * (when using TCP) and ignores the request when using UDP, and
61 
+-   * BIND's named returns ServFail (TCP or UDP). Sending a request
62 
+-   * that we know will cause 'dnscache' to close the TCP connection is
63 
+-   * painful, since that makes any other outstanding requests on that
64 
+-   * connection fail. And sending a UDP request that we know
65 
+-   * 'dnscache' will ignore is bad because resources will be tied up
66 
+-   * until we time-out the request.
67 
+-   */
68 
+-  if (len > MAXCDNAME)
69 
+-    return ARES_EBADNAME;
70 
+-
71 
+-  *buflen = len + HFIXEDSZ + QFIXEDSZ + (max_udp_size ? EDNSFIXEDSZ : 0);
72 
+-  *buf = malloc(*buflen);
73 
+-  if (!*buf)
74 
+-      return ARES_ENOMEM;
75 
++  len = strlen(name) + 2 + HFIXEDSZ + QFIXEDSZ +
76 
++    (max_udp_size ? EDNSFIXEDSZ : 0);
77 
++  buf = malloc(len);
78 
++  if (!buf)
79 
++    return ARES_ENOMEM;
80 
+
81 
+   /* Set up the header. */
82 
+-  q = *buf;
83 
++  q = buf;
84 
+   memset(q, 0, HFIXEDSZ);
85 
+   DNS_HEADER_SET_QID(q, id);
86 
+   DNS_HEADER_SET_OPCODE(q, QUERY);
87 
+@@ -159,8 +133,10 @@ int ares_create_query(const char *name, int dnsclass, int type,
88 
+   q += HFIXEDSZ;
89 
+   while (*name)
90 
+     {
91 
+-      if (*name == '.')
92 
++      if (*name == '.') {
93 
++        free (buf);
94 
+         return ARES_EBADNAME;
95 
++      }
96 
+
97 
+       /* Count the number of bytes in this label. */
98 
+       len = 0;
99 
+@@ -170,8 +146,10 @@ int ares_create_query(const char *name, int dnsclass, int type,
100 
+             p++;
101 
+           len++;
102 
+         }
103 
+-      if (len > MAXLABEL)
104 
++      if (len > MAXLABEL) {
105 
++        free (buf);
106 
+         return ARES_EBADNAME;
107 
++      }
108 
+
109 
+       /* Encode the length and copy the data. */
110 
+       *q++ = (unsigned char)len;
111 
+@@ -195,14 +173,30 @@ int ares_create_query(const char *name, int dnsclass, int type,
112 
+   DNS_QUESTION_SET_TYPE(q, type);
113 
+   DNS_QUESTION_SET_CLASS(q, dnsclass);
114 
+
115 
++  q += QFIXEDSZ;
116 
+   if (max_udp_size)
117 
+   {
118 
+-      q += QFIXEDSZ;
119 
+       memset(q, 0, EDNSFIXEDSZ);
120 
+       q++;
121 
+       DNS_RR_SET_TYPE(q, T_OPT);
122 
+       DNS_RR_SET_CLASS(q, max_udp_size);
123 
++      q += (EDNSFIXEDSZ-1);
124 
++  }
125 
++  buflen = (q - buf);
126 
++
127 
++  /* Reject names that are longer than the maximum of 255 bytes that's
128 
++   * specified in RFC 1035 ("To simplify implementations, the total length of
129 
++   * a domain name (i.e., label octets and label length octets) is restricted
130 
++   * to 255 octets or less."). */
131 
++  if (buflen > (MAXCDNAME + HFIXEDSZ + QFIXEDSZ +
132 
++                (max_udp_size ? EDNSFIXEDSZ : 0))) {
133 
++    free (buf);
134 
++    return ARES_EBADNAME;
135 
+   }
136 
+
137 
++  /* we know this fits in an int at this point */
138 
++  *buflenp = (int) buflen;
139 
++  *bufp = buf;
140 
++
141 
+   return ARES_SUCCESS;
142 
+ }
SPECS/c-ares/c-ares.spec
History View file @ a4ad133
... ... 
@@ -1,14 +1,15 @@
1 
-Summary: 	A library that performs asynchronous DNS operations
2 
-Name: 		c-ares
3 
-Version: 	1.10.0
4 
-Release: 	2%{?dist}
5 
-License: 	MIT
6 
-Group: 		System Environment/Libraries
7 
-Vendor:		VMware, Inc.
8 
-Distribution:	Photon
9 
-URL: 		http://c-ares.haxx.se/
10 
-Source0: 	http://c-ares.haxx.se/download/%{name}-%{version}.tar.gz
11 
-%define sha1 c-ares=e44e6575d5af99cb3a38461486e1ee8b49810eb5
1 
+Summary:        A library that performs asynchronous DNS operations
2 
+Name:           c-ares
3 
+Version:        1.10.0
4 
+Release:        3%{?dist}
5 
+License:        MIT
6 
+Group:          System Environment/Libraries
7 
+Vendor:         VMware, Inc.
8 
+Distribution:   Photon
9 
+URL:            http://c-ares.haxx.se/
10 
+Source0:        http://c-ares.haxx.se/download/%{name}-%{version}.tar.gz
11 
+%define sha1    c-ares=e44e6575d5af99cb3a38461486e1ee8b49810eb5
12 
+Patch0:         CVE-2016-5180.patch
12 13
13 14 
 BuildRequires:  autoconf
14 15 
 BuildRequires:  automake
... ... 
@@ -31,6 +32,7 @@ compile applications or shared objects that use c-ares.
31 31
32 32 
 %prep
33 33 
 %setup -q
34 
+%patch0 -p1
34 35
35 36 
 f=CHANGES ; iconv -f iso-8859-1 -t utf-8 $f -o $f.utf8 ; mv $f.utf8 $f
36 37
... ... 
@@ -68,7 +70,9 @@ rm -rf $RPM_BUILD_ROOT
68 68 
 %{_mandir}/man3/ares_*
69 69
70 70 
 %changelog
71 
-*	Tue May 24 2016 Priyesh Padmavilasom <ppadmavilasom@vmware.com> 1.10.0-2
72 
--	GA - Bump release of all rpms
73 
-* Wed Feb 03 2016 Anish Swaminathan <anishs@vmware.com> - 1.10.0-1
74 
-- Initial version
71 
+*   Wed Oct 05 2016 Xiaolin Li <xiaolinl@vmware.com> 1.10.0-3
72 
+-   Apply patch for CVE-2016-5180.
73 
+*   Tue May 24 2016 Priyesh Padmavilasom <ppadmavilasom@vmware.com> 1.10.0-2
74 
+-   GA - Bump release of all rpms
75 
+*   Wed Feb 03 2016 Anish Swaminathan <anishs@vmware.com> - 1.10.0-1
76 
+-   Initial version