diff options
Diffstat (limited to 'meta/recipes-core/busybox/busybox/CVE-2016-2147.patch')
| -rw-r--r-- | meta/recipes-core/busybox/busybox/CVE-2016-2147.patch | 57 |
1 files changed, 57 insertions, 0 deletions
diff --git a/meta/recipes-core/busybox/busybox/CVE-2016-2147.patch b/meta/recipes-core/busybox/busybox/CVE-2016-2147.patch new file mode 100644 index 0000000000..84cae6aa2c --- /dev/null +++ b/meta/recipes-core/busybox/busybox/CVE-2016-2147.patch @@ -0,0 +1,57 @@ +From d474ffc68290e0a83651c4432eeabfa62cd51e87 Mon Sep 17 00:00:00 2001 +From: Denys Vlasenko <vda.linux@googlemail.com> +Date: Thu, 10 Mar 2016 11:47:58 +0100 +Subject: [PATCH] udhcp: fix a SEGV on malformed RFC1035-encoded domain name + +Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com> + +Upstream-Status: Backport +CVE: CVE-2016-2147 + +https://git.busybox.net/busybox/commit/?id=d474ffc +Signed-off-by: Armin Kuster <akuster@mvista.com> + +--- + networking/udhcp/domain_codec.c | 13 +++++++++---- + 1 file changed, 9 insertions(+), 4 deletions(-) + +Index: busybox-1.23.2/networking/udhcp/domain_codec.c +=================================================================== +--- busybox-1.23.2.orig/networking/udhcp/domain_codec.c ++++ busybox-1.23.2/networking/udhcp/domain_codec.c +@@ -63,11 +63,10 @@ char* FAST_FUNC dname_dec(const uint8_t + if (crtpos + *c + 1 > clen) /* label too long? abort */ + return NULL; + if (dst) +- memcpy(dst + len, c + 1, *c); ++ /* \3com ---> "com." */ ++ ((char*)mempcpy(dst + len, c + 1, *c))[0] = '.'; + len += *c + 1; + crtpos += *c + 1; +- if (dst) +- dst[len - 1] = '.'; + } else { + /* NUL: end of current domain name */ + if (retpos == 0) { +@@ -78,7 +77,10 @@ char* FAST_FUNC dname_dec(const uint8_t + crtpos = retpos; + retpos = depth = 0; + } +- if (dst) ++ if (dst && len != 0) ++ /* \4host\3com\0\4host and we are at \0: ++ * \3com was converted to "com.", change dot to space. ++ */ + dst[len - 1] = ' '; + } + +@@ -228,6 +230,9 @@ int main(int argc, char **argv) + int len; + uint8_t *encoded; + ++ uint8_t str[6] = { 0x00, 0x00, 0x02, 0x65, 0x65, 0x00 }; ++ printf("NUL:'%s'\n", dname_dec(str, 6, "")); ++ + #define DNAME_DEC(encoded,pre) dname_dec((uint8_t*)(encoded), sizeof(encoded), (pre)) + printf("'%s'\n", DNAME_DEC("\4host\3com\0", "test1:")); + printf("test2:'%s'\n", DNAME_DEC("\4host\3com\0\4host\3com\0", "")); |