Annotation of /trunk/busybox/patches/busybox-1.24.2-CVE-2016-2148.patch
Parent Directory | Revision Log
Revision 2779 -
(hide annotations)
(download)
Fri Apr 8 07:24:48 2016 UTC (8 years, 5 months ago) by niro
File size: 1956 byte(s)
Fri Apr 8 07:24:48 2016 UTC (8 years, 5 months ago) by niro
File size: 1956 byte(s)
-added 1.24.2 official patches
1 | niro | 2779 | From 3a76bb5136d05f94ee62e377aa723e63444912c7 Mon Sep 17 00:00:00 2001 |
2 | From: Denys Vlasenko <vda.linux@googlemail.com> | ||
3 | Date: Thu, 10 Mar 2016 11:47:58 +0100 | ||
4 | Subject: [PATCH] udhcp: fix a SEGV on malformed RFC1035-encoded domain name | ||
5 | |||
6 | Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com> | ||
7 | Signed-off-by: Mike Frysinger <vapier@gentoo.org> | ||
8 | (cherry picked from commit d474ffc68290e0a83651c4432eeabfa62cd51e87) | ||
9 | --- | ||
10 | networking/udhcp/domain_codec.c | 13 +++++++++---- | ||
11 | 1 file changed, 9 insertions(+), 4 deletions(-) | ||
12 | |||
13 | diff --git a/networking/udhcp/domain_codec.c b/networking/udhcp/domain_codec.c | ||
14 | index c1325d8..8429367 100644 | ||
15 | --- a/networking/udhcp/domain_codec.c | ||
16 | +++ b/networking/udhcp/domain_codec.c | ||
17 | @@ -63,11 +63,10 @@ char* FAST_FUNC dname_dec(const uint8_t *cstr, int clen, const char *pre) | ||
18 | if (crtpos + *c + 1 > clen) /* label too long? abort */ | ||
19 | return NULL; | ||
20 | if (dst) | ||
21 | - memcpy(dst + len, c + 1, *c); | ||
22 | + /* \3com ---> "com." */ | ||
23 | + ((char*)mempcpy(dst + len, c + 1, *c))[0] = '.'; | ||
24 | len += *c + 1; | ||
25 | crtpos += *c + 1; | ||
26 | - if (dst) | ||
27 | - dst[len - 1] = '.'; | ||
28 | } else { | ||
29 | /* NUL: end of current domain name */ | ||
30 | if (retpos == 0) { | ||
31 | @@ -78,7 +77,10 @@ char* FAST_FUNC dname_dec(const uint8_t *cstr, int clen, const char *pre) | ||
32 | crtpos = retpos; | ||
33 | retpos = depth = 0; | ||
34 | } | ||
35 | - if (dst) | ||
36 | + if (dst && len != 0) | ||
37 | + /* \4host\3com\0\4host and we are at \0: | ||
38 | + * \3com was converted to "com.", change dot to space. | ||
39 | + */ | ||
40 | dst[len - 1] = ' '; | ||
41 | } | ||
42 | |||
43 | @@ -228,6 +230,9 @@ int main(int argc, char **argv) | ||
44 | int len; | ||
45 | uint8_t *encoded; | ||
46 | |||
47 | + uint8_t str[6] = { 0x00, 0x00, 0x02, 0x65, 0x65, 0x00 }; | ||
48 | + printf("NUL:'%s'\n", dname_dec(str, 6, "")); | ||
49 | + | ||
50 | #define DNAME_DEC(encoded,pre) dname_dec((uint8_t*)(encoded), sizeof(encoded), (pre)) | ||
51 | printf("'%s'\n", DNAME_DEC("\4host\3com\0", "test1:")); | ||
52 | printf("test2:'%s'\n", DNAME_DEC("\4host\3com\0\4host\3com\0", "")); | ||
53 | -- | ||
54 | 2.7.4 | ||
55 |