Contents of /trunk/busybox/patches/busybox-1.24.2-CVE-2016-2148.patch
Parent Directory | Revision Log
Revision 2779 -
(show annotations)
(download)
Fri Apr 8 07:24:48 2016 UTC (8 years, 5 months ago) by niro
File size: 1956 byte(s)
Fri Apr 8 07:24:48 2016 UTC (8 years, 5 months ago) by niro
File size: 1956 byte(s)
-added 1.24.2 official patches
1 | From 3a76bb5136d05f94ee62e377aa723e63444912c7 Mon Sep 17 00:00:00 2001 |
2 | From: Denys Vlasenko <vda.linux@googlemail.com> |
3 | Date: Thu, 10 Mar 2016 11:47:58 +0100 |
4 | Subject: [PATCH] udhcp: fix a SEGV on malformed RFC1035-encoded domain name |
5 | |
6 | Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com> |
7 | Signed-off-by: Mike Frysinger <vapier@gentoo.org> |
8 | (cherry picked from commit d474ffc68290e0a83651c4432eeabfa62cd51e87) |
9 | --- |
10 | networking/udhcp/domain_codec.c | 13 +++++++++---- |
11 | 1 file changed, 9 insertions(+), 4 deletions(-) |
12 | |
13 | diff --git a/networking/udhcp/domain_codec.c b/networking/udhcp/domain_codec.c |
14 | index c1325d8..8429367 100644 |
15 | --- a/networking/udhcp/domain_codec.c |
16 | +++ b/networking/udhcp/domain_codec.c |
17 | @@ -63,11 +63,10 @@ char* FAST_FUNC dname_dec(const uint8_t *cstr, int clen, const char *pre) |
18 | if (crtpos + *c + 1 > clen) /* label too long? abort */ |
19 | return NULL; |
20 | if (dst) |
21 | - memcpy(dst + len, c + 1, *c); |
22 | + /* \3com ---> "com." */ |
23 | + ((char*)mempcpy(dst + len, c + 1, *c))[0] = '.'; |
24 | len += *c + 1; |
25 | crtpos += *c + 1; |
26 | - if (dst) |
27 | - dst[len - 1] = '.'; |
28 | } else { |
29 | /* NUL: end of current domain name */ |
30 | if (retpos == 0) { |
31 | @@ -78,7 +77,10 @@ char* FAST_FUNC dname_dec(const uint8_t *cstr, int clen, const char *pre) |
32 | crtpos = retpos; |
33 | retpos = depth = 0; |
34 | } |
35 | - if (dst) |
36 | + if (dst && len != 0) |
37 | + /* \4host\3com\0\4host and we are at \0: |
38 | + * \3com was converted to "com.", change dot to space. |
39 | + */ |
40 | dst[len - 1] = ' '; |
41 | } |
42 | |
43 | @@ -228,6 +230,9 @@ int main(int argc, char **argv) |
44 | int len; |
45 | uint8_t *encoded; |
46 | |
47 | + uint8_t str[6] = { 0x00, 0x00, 0x02, 0x65, 0x65, 0x00 }; |
48 | + printf("NUL:'%s'\n", dname_dec(str, 6, "")); |
49 | + |
50 | #define DNAME_DEC(encoded,pre) dname_dec((uint8_t*)(encoded), sizeof(encoded), (pre)) |
51 | printf("'%s'\n", DNAME_DEC("\4host\3com\0", "test1:")); |
52 | printf("test2:'%s'\n", DNAME_DEC("\4host\3com\0\4host\3com\0", "")); |
53 | -- |
54 | 2.7.4 |
55 |