busybox/patches/busybox-1.24.2-CVE-2016-2148.patch

From 3a76bb5136d05f94ee62e377aa723e63444912c7 Mon Sep 17 00:00:00 2001
From: Denys Vlasenko <vda.linux@googlemail.com>
Date: Thu, 10 Mar 2016 11:47:58 +0100
Subject: [PATCH] udhcp: fix a SEGV on malformed RFC1035-encoded domain name

Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
(cherry picked from commit d474ffc68290e0a83651c4432eeabfa62cd51e87)
---
 networking/udhcp/domain_codec.c | 13 +++++++++----
 1 file changed, 9 insertions(+), 4 deletions(-)

diff --git a/networking/udhcp/domain_codec.c b/networking/udhcp/domain_codec.c
index c1325d8..8429367 100644
--- a/networking/udhcp/domain_codec.c
+++ b/networking/udhcp/domain_codec.c
@@ -63,11 +63,10 @@ char* FAST_FUNC dname_dec(const uint8_t *cstr, int clen, const char *pre)
 				if (crtpos + *c + 1 > clen) /* label too long? abort */
 					return NULL;
 				if (dst)
-					memcpy(dst + len, c + 1, *c);
+					/* \3com ---> "com." */
+					((char*)mempcpy(dst + len, c + 1, *c))[0] = '.';
 				len += *c + 1;
 				crtpos += *c + 1;
-				if (dst)
-					dst[len - 1] = '.';
 			} else {
 				/* NUL: end of current domain name */
 				if (retpos == 0) {
@@ -78,7 +77,10 @@ char* FAST_FUNC dname_dec(const uint8_t *cstr, int clen, const char *pre)
 					crtpos = retpos;
 					retpos = depth = 0;
 				}
-				if (dst)
+				if (dst && len != 0)
+					/* \4host\3com\0\4host and we are at \0:
+					 * \3com was converted to "com.", change dot to space.
+					 */
 					dst[len - 1] = ' ';
 			}
 
@@ -228,6 +230,9 @@ int main(int argc, char **argv)
 	int len;
 	uint8_t *encoded;
 
+        uint8_t str[6] = { 0x00, 0x00, 0x02, 0x65, 0x65, 0x00 };
+        printf("NUL:'%s'\n",   dname_dec(str, 6, ""));
+
 #define DNAME_DEC(encoded,pre) dname_dec((uint8_t*)(encoded), sizeof(encoded), (pre))
 	printf("'%s'\n",       DNAME_DEC("\4host\3com\0", "test1:"));
 	printf("test2:'%s'\n", DNAME_DEC("\4host\3com\0\4host\3com\0", ""));
-- 
2.7.4

1	niro	2779	From 3a76bb5136d05f94ee62e377aa723e63444912c7 Mon Sep 17 00:00:00 2001
2			From: Denys Vlasenko <vda.linux@googlemail.com>
3			Date: Thu, 10 Mar 2016 11:47:58 +0100
4			Subject: [PATCH] udhcp: fix a SEGV on malformed RFC1035-encoded domain name
5
6			Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
7			Signed-off-by: Mike Frysinger <vapier@gentoo.org>
8			(cherry picked from commit d474ffc68290e0a83651c4432eeabfa62cd51e87)
9			---
10			networking/udhcp/domain_codec.c \| 13 +++++++++----
11			1 file changed, 9 insertions(+), 4 deletions(-)
12
13			diff --git a/networking/udhcp/domain_codec.c b/networking/udhcp/domain_codec.c
14			index c1325d8..8429367 100644
15			--- a/networking/udhcp/domain_codec.c
16			+++ b/networking/udhcp/domain_codec.c
17			@@ -63,11 +63,10 @@ char* FAST_FUNC dname_dec(const uint8_t cstr, int clen, const char pre)
18			if (crtpos + c + 1 > clen) / label too long? abort */
19			return NULL;
20			if (dst)
21			- memcpy(dst + len, c + 1, *c);
22			+ /* \3com ---> "com." */
23			+ ((char)mempcpy(dst + len, c + 1, c))[0] = '.';
24			len += *c + 1;
25			crtpos += *c + 1;
26			- if (dst)
27			- dst[len - 1] = '.';
28			} else {
29			/* NUL: end of current domain name */
30			if (retpos == 0) {
31			@@ -78,7 +77,10 @@ char* FAST_FUNC dname_dec(const uint8_t cstr, int clen, const char pre)
32			crtpos = retpos;
33			retpos = depth = 0;
34			}
35			- if (dst)
36			+ if (dst && len != 0)
37			+ /* \4host\3com\0\4host and we are at \0:
38			+ * \3com was converted to "com.", change dot to space.
39			+ */
40			dst[len - 1] = ' ';
41			}
42
43			@@ -228,6 +230,9 @@ int main(int argc, char **argv)
44			int len;
45			uint8_t *encoded;
46
47			+ uint8_t str[6] = { 0x00, 0x00, 0x02, 0x65, 0x65, 0x00 };
48			+ printf("NUL:'%s'\n", dname_dec(str, 6, ""));
49			+
50			#define DNAME_DEC(encoded,pre) dname_dec((uint8_t*)(encoded), sizeof(encoded), (pre))
51			printf("'%s'\n", DNAME_DEC("\4host\3com\0", "test1:"));
52			printf("test2:'%s'\n", DNAME_DEC("\4host\3com\0\4host\3com\0", ""));
53			--
54			2.7.4
55