Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
SUSE:SLE-12-SP2:GA
adns.15333
adns-1.4-CVE-2017-9106.patch
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File adns-1.4-CVE-2017-9106.patch of Package adns.15333
A merger of these 2 patches: ----- From 54d811a530e9cf16148998cd9fdd168dbf8e14d5 Mon Sep 17 00:00:00 2001 From: Ian Jackson <ijackson@chiark.greenend.org.uk> Date: Sat, 3 Dec 2016 14:51:18 +0000 Subject: [PATCH 06/32] cs_inthost*: Break out csp_intofinthost No functional change. This removes some duplication, enabling the following security patch to fix just the one copy. Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk> --- src/types.c | 17 +++++++++++------ 1 file changed, 11 insertions(+), 6 deletions(-) ----- From 37792aacaf7abbcdac6a02715a5ef794b5147f13 Mon Sep 17 00:00:00 2001 From: Ian Jackson <ijackson@chiark.greenend.org.uk> Date: Sat, 3 Dec 2016 14:51:54 +0000 Subject: [PATCH 07/32] SECURITY: Defend adns_rr_info (somewhat) from bogus *datap The general pattern for formatting integers is to sprintf into a fixed-size buffer. This is correct if the input is in the right range; if it isn't, the buffer may be overrun (depending on the sizes of the types on the current platform). Of course the inputs ought to be right. And there are pointers in there too, so perhaps we could say that the caller ought to check these things. I think it's better to require the caller to make the pointer structure right, but to have the code here be defensive about (and tolerate with an erro but without crashing) out-of-range integer values. So: defend each of these integer conversion sites with a check for the actual permitted range, and return adns_s_invaliddata if not. The lack of this check causes the SOA sign extension bug to be a serious security problem: the sign extended SOA value is out of range, and will overrun the buffer when reconverted. Found by AFL 2.35b. CVE-2017-9106. Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk> --- src/types.c | 13 +++++++++++++ 1 file changed, 13 insertions(+) Index: adns-1.5.1/src/types.c =================================================================== --- adns-1.5.1.orig/src/types.c +++ adns-1.5.1/src/types.c @@ -1108,13 +1108,23 @@ static void mf_inthostaddr(adns_query qu mfp_hostaddr(qu,&rrp->ha); } -static adns_status cs_inthostaddr(vbuf *vb, const void *datap) { - const adns_rr_inthostaddr *rrp= datap; +static adns_status csp_intofinthost(vbuf *vb, int i) { char buf[10]; - sprintf(buf,"%u ",rrp->i); + if (i < 0 || i > 0xffff) + /* currently only used for MX whose priorities are 16-bit */ + return adns_s_invaliddata; + + sprintf(buf,"%u ",i); CSP_ADDSTR(buf); + return adns_s_ok; +} +static adns_status cs_inthostaddr(vbuf *vb, const void *datap) { + const adns_rr_inthostaddr *rrp= datap; + adns_status st; + + st = csp_intofinthost(vb,rrp->i); if (st) return st; return csp_hostaddr(vb,&rrp->ha); } @@ -1124,10 +1134,9 @@ static adns_status cs_inthostaddr(vbuf * static adns_status cs_inthost(vbuf *vb, const void *datap) { const adns_rr_intstr *rrp= datap; - char buf[10]; + adns_status st; - sprintf(buf,"%u ",rrp->i); - CSP_ADDSTR(buf); + st = csp_intofinthost(vb,rrp->i); if (st) return st; return csp_domain(vb,rrp->str); } @@ -1409,6 +1418,8 @@ static adns_status cs_soa(vbuf *vb, cons st= csp_mailbox(vb,rrp->rname); if (st) return st; for (i=0; i<5; i++) { + if (rrp->serial > 0xffffffffUL) + return adns_s_invaliddata; sprintf(buf," %lu",(&rrp->serial)[i]); CSP_ADDSTR(buf); } @@ -1497,6 +1508,10 @@ static int di_srv(adns_state ads, const static adns_status csp_srv_begin(vbuf *vb, const adns_rr_srvha *rrp /* might be adns_rr_srvraw* */) { char buf[30]; + if (rrp->priority < 0 || rrp->priority > 0xffff || + rrp->weight < 0 || rrp->weight > 0xffff || + rrp->port < 0 || rrp->port > 0xffff) + return adns_s_invaliddata; sprintf(buf,"%u %u %u ", rrp->priority, rrp->weight, rrp->port); CSP_ADDSTR(buf); return adns_s_ok; @@ -1612,6 +1627,9 @@ static adns_status cs_opaque(vbuf *vb, c int l; unsigned char *p; + if (rrp->len < 0 || rrp->len > 0xffff) + return adns_s_invaliddata; + sprintf(buf,"\\# %d",rrp->len); CSP_ADDSTR(buf);
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor