Change-Id: I0ebe5891df20f3db5aca063845898562ae79d31d
Reviewed-on: http://photon-jenkins.eng.vmware.com:8082/1485
Tested-by: gerrit-photon <photon-checkins@vmware.com>
Reviewed-by: Sharath George
(cherry picked from commit f9a319e448afb5830ca9571c71a0b18d8711a4c1)
Reviewed-on: http://photon-jenkins.eng.vmware.com:8082/1498
Reviewed-by: suezzelur <anishs@vmware.com>
1 | 1 |
new file mode 100644 |
... | ... |
@@ -0,0 +1,144 @@ |
0 |
+From 115fe381c75147352d7a8d21aa3ffb85ca367219 Mon Sep 17 00:00:00 2001 |
|
1 |
+From: Daniel Stenberg <daniel@haxx.se> |
|
2 |
+Date: Fri, 23 Sep 2016 14:44:11 +0200 |
|
3 |
+Subject: [PATCH] ares_create_query: avoid single-byte buffer overwrite |
|
4 |
+ |
|
5 |
+... when the name ends with an escaped dot. |
|
6 |
+ |
|
7 |
+CVE-2016-5180 |
|
8 |
+ |
|
9 |
+Bug: https://c-ares.haxx.se/adv_20160929.html |
|
10 |
+diff --git a/ares_create_query.c b/ares_create_query.c |
|
11 |
+index 8624e2f..abae64a 100644 |
|
12 |
+--- a/ares_create_query.c |
|
13 |
+@@ -85,57 +85,31 @@ |
|
14 |
+ */ |
|
15 |
+ |
|
16 |
+ int ares_create_query(const char *name, int dnsclass, int type, |
|
17 |
+- unsigned short id, int rd, unsigned char **buf, |
|
18 |
+- int *buflen, int max_udp_size) |
|
19 |
++ unsigned short id, int rd, unsigned char **bufp, |
|
20 |
++ int *buflenp, int max_udp_size) |
|
21 |
+ { |
|
22 |
+- int len; |
|
23 |
++ size_t len; |
|
24 |
+ unsigned char *q; |
|
25 |
+ const char *p; |
|
26 |
++ size_t buflen; |
|
27 |
++ unsigned char *buf; |
|
28 |
+ |
|
29 |
+ /* Set our results early, in case we bail out early with an error. */ |
|
30 |
+- *buflen = 0; |
|
31 |
+- *buf = NULL; |
|
32 |
++ *buflenp = 0; |
|
33 |
++ *bufp = NULL; |
|
34 |
+ |
|
35 |
+- /* Compute the length of the encoded name so we can check buflen. |
|
36 |
+- * Start counting at 1 for the zero-length label at the end. */ |
|
37 |
+- len = 1; |
|
38 |
+- for (p = name; *p; p++) |
|
39 |
+- { |
|
40 |
+- if (*p == '\\' && *(p + 1) != 0) |
|
41 |
+- p++; |
|
42 |
+- len++; |
|
43 |
+- } |
|
44 |
+- /* If there are n periods in the name, there are n + 1 labels, and |
|
45 |
+- * thus n + 1 length fields, unless the name is empty or ends with a |
|
46 |
+- * period. So add 1 unless name is empty or ends with a period. |
|
47 |
++ /* Allocate a memory area for the maximum size this packet might need. +2 |
|
48 |
++ * is for the length byte and zero termination if no dots or ecscaping is |
|
49 |
++ * used. |
|
50 |
+ */ |
|
51 |
+- if (*name && *(p - 1) != '.') |
|
52 |
+- len++; |
|
53 |
+- |
|
54 |
+- /* Immediately reject names that are longer than the maximum of 255 |
|
55 |
+- * bytes that's specified in RFC 1035 ("To simplify implementations, |
|
56 |
+- * the total length of a domain name (i.e., label octets and label |
|
57 |
+- * length octets) is restricted to 255 octets or less."). We aren't |
|
58 |
+- * doing this just to be a stickler about RFCs. For names that are |
|
59 |
+- * too long, 'dnscache' closes its TCP connection to us immediately |
|
60 |
+- * (when using TCP) and ignores the request when using UDP, and |
|
61 |
+- * BIND's named returns ServFail (TCP or UDP). Sending a request |
|
62 |
+- * that we know will cause 'dnscache' to close the TCP connection is |
|
63 |
+- * painful, since that makes any other outstanding requests on that |
|
64 |
+- * connection fail. And sending a UDP request that we know |
|
65 |
+- * 'dnscache' will ignore is bad because resources will be tied up |
|
66 |
+- * until we time-out the request. |
|
67 |
+- */ |
|
68 |
+- if (len > MAXCDNAME) |
|
69 |
+- return ARES_EBADNAME; |
|
70 |
+- |
|
71 |
+- *buflen = len + HFIXEDSZ + QFIXEDSZ + (max_udp_size ? EDNSFIXEDSZ : 0); |
|
72 |
+- *buf = malloc(*buflen); |
|
73 |
+- if (!*buf) |
|
74 |
+- return ARES_ENOMEM; |
|
75 |
++ len = strlen(name) + 2 + HFIXEDSZ + QFIXEDSZ + |
|
76 |
++ (max_udp_size ? EDNSFIXEDSZ : 0); |
|
77 |
++ buf = malloc(len); |
|
78 |
++ if (!buf) |
|
79 |
++ return ARES_ENOMEM; |
|
80 |
+ |
|
81 |
+ /* Set up the header. */ |
|
82 |
+- q = *buf; |
|
83 |
++ q = buf; |
|
84 |
+ memset(q, 0, HFIXEDSZ); |
|
85 |
+ DNS_HEADER_SET_QID(q, id); |
|
86 |
+ DNS_HEADER_SET_OPCODE(q, QUERY); |
|
87 |
+@@ -159,8 +133,10 @@ int ares_create_query(const char *name, int dnsclass, int type, |
|
88 |
+ q += HFIXEDSZ; |
|
89 |
+ while (*name) |
|
90 |
+ { |
|
91 |
+- if (*name == '.') |
|
92 |
++ if (*name == '.') { |
|
93 |
++ free (buf); |
|
94 |
+ return ARES_EBADNAME; |
|
95 |
++ } |
|
96 |
+ |
|
97 |
+ /* Count the number of bytes in this label. */ |
|
98 |
+ len = 0; |
|
99 |
+@@ -170,8 +146,10 @@ int ares_create_query(const char *name, int dnsclass, int type, |
|
100 |
+ p++; |
|
101 |
+ len++; |
|
102 |
+ } |
|
103 |
+- if (len > MAXLABEL) |
|
104 |
++ if (len > MAXLABEL) { |
|
105 |
++ free (buf); |
|
106 |
+ return ARES_EBADNAME; |
|
107 |
++ } |
|
108 |
+ |
|
109 |
+ /* Encode the length and copy the data. */ |
|
110 |
+ *q++ = (unsigned char)len; |
|
111 |
+@@ -195,14 +173,30 @@ int ares_create_query(const char *name, int dnsclass, int type, |
|
112 |
+ DNS_QUESTION_SET_TYPE(q, type); |
|
113 |
+ DNS_QUESTION_SET_CLASS(q, dnsclass); |
|
114 |
+ |
|
115 |
++ q += QFIXEDSZ; |
|
116 |
+ if (max_udp_size) |
|
117 |
+ { |
|
118 |
+- q += QFIXEDSZ; |
|
119 |
+ memset(q, 0, EDNSFIXEDSZ); |
|
120 |
+ q++; |
|
121 |
+ DNS_RR_SET_TYPE(q, T_OPT); |
|
122 |
+ DNS_RR_SET_CLASS(q, max_udp_size); |
|
123 |
++ q += (EDNSFIXEDSZ-1); |
|
124 |
++ } |
|
125 |
++ buflen = (q - buf); |
|
126 |
++ |
|
127 |
++ /* Reject names that are longer than the maximum of 255 bytes that's |
|
128 |
++ * specified in RFC 1035 ("To simplify implementations, the total length of |
|
129 |
++ * a domain name (i.e., label octets and label length octets) is restricted |
|
130 |
++ * to 255 octets or less."). */ |
|
131 |
++ if (buflen > (MAXCDNAME + HFIXEDSZ + QFIXEDSZ + |
|
132 |
++ (max_udp_size ? EDNSFIXEDSZ : 0))) { |
|
133 |
++ free (buf); |
|
134 |
++ return ARES_EBADNAME; |
|
135 |
+ } |
|
136 |
+ |
|
137 |
++ /* we know this fits in an int at this point */ |
|
138 |
++ *buflenp = (int) buflen; |
|
139 |
++ *bufp = buf; |
|
140 |
++ |
|
141 |
+ return ARES_SUCCESS; |
|
142 |
+ } |
... | ... |
@@ -1,14 +1,15 @@ |
1 |
-Summary: A library that performs asynchronous DNS operations |
|
2 |
-Name: c-ares |
|
3 |
-Version: 1.10.0 |
|
4 |
-Release: 2%{?dist} |
|
5 |
-License: MIT |
|
6 |
-Group: System Environment/Libraries |
|
7 |
-Vendor: VMware, Inc. |
|
8 |
-Distribution: Photon |
|
9 |
-URL: http://c-ares.haxx.se/ |
|
10 |
-Source0: http://c-ares.haxx.se/download/%{name}-%{version}.tar.gz |
|
11 |
-%define sha1 c-ares=e44e6575d5af99cb3a38461486e1ee8b49810eb5 |
|
1 |
+Summary: A library that performs asynchronous DNS operations |
|
2 |
+Name: c-ares |
|
3 |
+Version: 1.10.0 |
|
4 |
+Release: 3%{?dist} |
|
5 |
+License: MIT |
|
6 |
+Group: System Environment/Libraries |
|
7 |
+Vendor: VMware, Inc. |
|
8 |
+Distribution: Photon |
|
9 |
+URL: http://c-ares.haxx.se/ |
|
10 |
+Source0: http://c-ares.haxx.se/download/%{name}-%{version}.tar.gz |
|
11 |
+%define sha1 c-ares=e44e6575d5af99cb3a38461486e1ee8b49810eb5 |
|
12 |
+Patch0: CVE-2016-5180.patch |
|
12 | 13 |
|
13 | 14 |
BuildRequires: autoconf |
14 | 15 |
BuildRequires: automake |
... | ... |
@@ -31,6 +32,7 @@ compile applications or shared objects that use c-ares. |
31 | 31 |
|
32 | 32 |
%prep |
33 | 33 |
%setup -q |
34 |
+%patch0 -p1 |
|
34 | 35 |
|
35 | 36 |
f=CHANGES ; iconv -f iso-8859-1 -t utf-8 $f -o $f.utf8 ; mv $f.utf8 $f |
36 | 37 |
|
... | ... |
@@ -68,7 +70,9 @@ rm -rf $RPM_BUILD_ROOT |
68 | 68 |
%{_mandir}/man3/ares_* |
69 | 69 |
|
70 | 70 |
%changelog |
71 |
-* Tue May 24 2016 Priyesh Padmavilasom <ppadmavilasom@vmware.com> 1.10.0-2 |
|
72 |
-- GA - Bump release of all rpms |
|
73 |
-* Wed Feb 03 2016 Anish Swaminathan <anishs@vmware.com> - 1.10.0-1 |
|
74 |
-- Initial version |
|
71 |
+* Wed Oct 05 2016 Xiaolin Li <xiaolinl@vmware.com> 1.10.0-3 |
|
72 |
+- Apply patch for CVE-2016-5180. |
|
73 |
+* Tue May 24 2016 Priyesh Padmavilasom <ppadmavilasom@vmware.com> 1.10.0-2 |
|
74 |
+- GA - Bump release of all rpms |
|
75 |
+* Wed Feb 03 2016 Anish Swaminathan <anishs@vmware.com> - 1.10.0-1 |
|
76 |
+- Initial version |