forked from c-ares/c-ares.github.io
-
Notifications
You must be signed in to change notification settings - Fork 0
/
CVE-2016-5180.patch
163 lines (148 loc) · 5.1 KB
/
CVE-2016-5180.patch
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
From 115fe381c75147352d7a8d21aa3ffb85ca367219 Mon Sep 17 00:00:00 2001
From: Daniel Stenberg <[email protected]>
Date: Fri, 23 Sep 2016 14:44:11 +0200
Subject: [PATCH] ares_create_query: avoid single-byte buffer overwrite
... when the name ends with an escaped dot.
CVE-2016-5180
Bug: https://c-ares.haxx.se/adv_20160929.html
---
ares_create_query.c | 84 +++++++++++++++++++++++++----------------------------
1 file changed, 39 insertions(+), 45 deletions(-)
diff --git a/ares_create_query.c b/ares_create_query.c
index a34dda7..7f4c52d 100644
--- a/ares_create_query.c
+++ b/ares_create_query.c
@@ -83,61 +83,35 @@
* label. The list is terminated by a label of length zero (which can
* be thought of as the root domain).
*/
int ares_create_query(const char *name, int dnsclass, int type,
- unsigned short id, int rd, unsigned char **buf,
- int *buflen, int max_udp_size)
+ unsigned short id, int rd, unsigned char **bufp,
+ int *buflenp, int max_udp_size)
{
- int len;
+ size_t len;
unsigned char *q;
const char *p;
+ size_t buflen;
+ unsigned char *buf;
/* Set our results early, in case we bail out early with an error. */
- *buflen = 0;
- *buf = NULL;
+ *buflenp = 0;
+ *bufp = NULL;
- /* Compute the length of the encoded name so we can check buflen.
- * Start counting at 1 for the zero-length label at the end. */
- len = 1;
- for (p = name; *p; p++)
- {
- if (*p == '\\' && *(p + 1) != 0)
- p++;
- len++;
- }
- /* If there are n periods in the name, there are n + 1 labels, and
- * thus n + 1 length fields, unless the name is empty or ends with a
- * period. So add 1 unless name is empty or ends with a period.
+ /* Allocate a memory area for the maximum size this packet might need. +2
+ * is for the length byte and zero termination if no dots or ecscaping is
+ * used.
*/
- if (*name && *(p - 1) != '.')
- len++;
-
- /* Immediately reject names that are longer than the maximum of 255
- * bytes that's specified in RFC 1035 ("To simplify implementations,
- * the total length of a domain name (i.e., label octets and label
- * length octets) is restricted to 255 octets or less."). We aren't
- * doing this just to be a stickler about RFCs. For names that are
- * too long, 'dnscache' closes its TCP connection to us immediately
- * (when using TCP) and ignores the request when using UDP, and
- * BIND's named returns ServFail (TCP or UDP). Sending a request
- * that we know will cause 'dnscache' to close the TCP connection is
- * painful, since that makes any other outstanding requests on that
- * connection fail. And sending a UDP request that we know
- * 'dnscache' will ignore is bad because resources will be tied up
- * until we time-out the request.
- */
- if (len > MAXCDNAME)
- return ARES_EBADNAME;
-
- *buflen = len + HFIXEDSZ + QFIXEDSZ + (max_udp_size ? EDNSFIXEDSZ : 0);
- *buf = ares_malloc(*buflen);
- if (!*buf)
- return ARES_ENOMEM;
+ len = strlen(name) + 2 + HFIXEDSZ + QFIXEDSZ +
+ (max_udp_size ? EDNSFIXEDSZ : 0);
+ buf = ares_malloc(len);
+ if (!buf)
+ return ARES_ENOMEM;
/* Set up the header. */
- q = *buf;
+ q = buf;
memset(q, 0, HFIXEDSZ);
DNS_HEADER_SET_QID(q, id);
DNS_HEADER_SET_OPCODE(q, QUERY);
if (rd) {
DNS_HEADER_SET_RD(q, 1);
@@ -157,23 +131,27 @@ int ares_create_query(const char *name, int dnsclass, int type,
/* Start writing out the name after the header. */
q += HFIXEDSZ;
while (*name)
{
- if (*name == '.')
+ if (*name == '.') {
+ free (buf);
return ARES_EBADNAME;
+ }
/* Count the number of bytes in this label. */
len = 0;
for (p = name; *p && *p != '.'; p++)
{
if (*p == '\\' && *(p + 1) != 0)
p++;
len++;
}
- if (len > MAXLABEL)
+ if (len > MAXLABEL) {
+ free (buf);
return ARES_EBADNAME;
+ }
/* Encode the length and copy the data. */
*q++ = (unsigned char)len;
for (p = name; *p && *p != '.'; p++)
{
@@ -193,16 +171,32 @@ int ares_create_query(const char *name, int dnsclass, int type,
/* Finish off the question with the type and class. */
DNS_QUESTION_SET_TYPE(q, type);
DNS_QUESTION_SET_CLASS(q, dnsclass);
+ q += QFIXEDSZ;
if (max_udp_size)
{
- q += QFIXEDSZ;
memset(q, 0, EDNSFIXEDSZ);
q++;
DNS_RR_SET_TYPE(q, T_OPT);
DNS_RR_SET_CLASS(q, max_udp_size);
+ q += (EDNSFIXEDSZ-1);
+ }
+ buflen = (q - buf);
+
+ /* Reject names that are longer than the maximum of 255 bytes that's
+ * specified in RFC 1035 ("To simplify implementations, the total length of
+ * a domain name (i.e., label octets and label length octets) is restricted
+ * to 255 octets or less."). */
+ if (buflen > (MAXCDNAME + HFIXEDSZ + QFIXEDSZ +
+ (max_udp_size ? EDNSFIXEDSZ : 0))) {
+ free (buf);
+ return ARES_EBADNAME;
}
+ /* we know this fits in an int at this point */
+ *buflenp = (int) buflen;
+ *bufp = buf;
+
return ARES_SUCCESS;
}
--
2.9.3