From 1447e0aebc6b23107b7997a8e52398277cfb46da Mon Sep 17 00:00:00 2001
From: Petr Menšík pemensik@redhat.com
Date: Oct 03 2017 15:30:29 +0000
Subject: Rebase to 2.78
diff --git a/.gitignore b/.gitignore
index bd16c9f..7899088 100644
--- a/.gitignore
+++ b/.gitignore
@@ -25,3 +25,4 @@ dnsmasq-2.52.tar.lzma
/dnsmasq-2.76.tar.xz
/dnsmasq-2.77rc2.tar.xz
/dnsmasq-2.77.tar.xz
+/dnsmasq-2.78.tar.xz
diff --git a/dnsmasq-2.77-CVE-2017-13704.patch b/dnsmasq-2.77-CVE-2017-13704.patch
deleted file mode 100644
index c60b382..0000000
--- a/dnsmasq-2.77-CVE-2017-13704.patch
+++ /dev/null
@@ -1,75 +0,0 @@
-From 63437ffbb58837b214b4b92cb1c54bc5f3279928 Mon Sep 17 00:00:00 2001
-From: Simon Kelley simon@thekelleys.org.uk
-Date: Wed, 6 Sep 2017 22:34:21 +0100
-Subject: [PATCH] Fix CVE-2017-13704, which resulted in a crash on a large DNS
- query.
-
-A DNS query recieved by UDP which exceeds 512 bytes (or the EDNS0 packet size,
-if different.) is enough to cause SIGSEGV.
----
- src/auth.c | 5 -----
- src/forward.c | 8 ++++++++
- src/rfc1035.c | 5 -----
- 3 files changed, 8 insertions(+), 10 deletions(-)
-
-diff --git a/src/auth.c b/src/auth.c
-index 2c24e16..7f95f98 100644
---- a/src/auth.c
-+++ b/src/auth.c
-@@ -119,11 +119,6 @@ size_t answer_auth(struct dns_header *header, char *limit, size_t qlen, time_t n
- struct cname *a, *candidate;
- unsigned int wclen;
-
-- /* Clear buffer beyond request to avoid risk of
-- information disclosure. */
-- memset(((char *)header) + qlen, 0,
-- (limit - ((char *)header)) - qlen);
--
- if (ntohs(header->qdcount) == 0 || OPCODE(header) != QUERY )
- return 0;
-
-diff --git a/src/forward.c b/src/forward.c
-index f22556a..e3fa94b 100644
---- a/src/forward.c
-+++ b/src/forward.c
-@@ -1188,6 +1188,10 @@ void receive_query(struct listener *listen, time_t now)
- (msg.msg_flags & MSG_TRUNC) ||
- (header->hb3 & HB3_QR))
- return;
-+
-+ /* Clear buffer beyond request to avoid risk of
-+ information disclosure. */
-+ memset(daemon->packet + n, 0, daemon->edns_pktsz - n);
-
- source_addr.sa.sa_family = listen->family;
-
-@@ -1688,6 +1692,10 @@ unsigned char *tcp_request(int confd, time_t now,
-
- if (size < (int)sizeof(struct dns_header))
- continue;
-+
-+ /* Clear buffer beyond request to avoid risk of
-+ information disclosure. */
-+ memset(payload + size, 0, 65536 - size);
-
- query_count++;
-
-diff --git a/src/rfc1035.c b/src/rfc1035.c
-index 26f5301..af2fe46 100644
---- a/src/rfc1035.c
-+++ b/src/rfc1035.c
-@@ -1223,11 +1223,6 @@ size_t answer_request(struct dns_header *header, char *limit, size_t qlen,
- struct mx_srv_record *rec;
- size_t len;
-
-- /* Clear buffer beyond request to avoid risk of
-- information disclosure. */
-- memset(((char *)header) + qlen, 0,
-- (limit - ((char *)header)) - qlen);
--
- if (ntohs(header->ancount) != 0 ||
- ntohs(header->nscount) != 0 ||
- ntohs(header->qdcount) == 0 ||
---
-2.9.5
-
diff --git a/dnsmasq-2.77-CVE-2017-14491-2.patch b/dnsmasq-2.77-CVE-2017-14491-2.patch
deleted file mode 100644
index 31a065c..0000000
--- a/dnsmasq-2.77-CVE-2017-14491-2.patch
+++ /dev/null
@@ -1,68 +0,0 @@
-From 62cb936cb7ad5f219715515ae7d32dd281a5aa1f Mon Sep 17 00:00:00 2001
-From: Simon Kelley simon@thekelleys.org.uk
-Date: Tue, 26 Sep 2017 22:00:11 +0100
-Subject: [PATCH 10/10] Security fix, CVE-2017-14491, DNS heap buffer overflow.
-
-Further fix to 0549c73b7ea6b22a3c49beb4d432f185a81efcbc
-Handles case when RR name is not a pointer to the question,
-only occurs for some auth-mode replies, therefore not
-detected by fuzzing (?)
----
- src/rfc1035.c | 27 +++++++++++++++------------
- 1 file changed, 15 insertions(+), 12 deletions(-)
-
-diff --git a/src/rfc1035.c b/src/rfc1035.c
-index 27af023..56ab88b 100644
---- a/src/rfc1035.c
-+++ b/src/rfc1035.c
-@@ -1086,32 +1086,35 @@ int add_resource_record(struct dns_header *header, char *limit, int *truncp, int
-
- va_start(ap, format); /* make ap point to 1st unamed argument */
-
-- /* nameoffset (1 or 2) + type (2) + class (2) + ttl (4) + 0 (2) */
-- CHECK_LIMIT(12);
--
- if (nameoffset > 0)
- {
-+ CHECK_LIMIT(2);
- PUTSHORT(nameoffset | 0xc000, p);
- }
- else
- {
- char *name = va_arg(ap, char *);
-- if (name)
-- p = do_rfc1035_name(p, name, limit);
-- if (!p)
-- {
-- va_end(ap);
-- goto truncated;
-- }
--
-+ if (name && !(p = do_rfc1035_name(p, name, limit)))
-+ {
-+ va_end(ap);
-+ goto truncated;
-+ }
-+
- if (nameoffset < 0)
- {
-+ CHECK_LIMIT(2);
- PUTSHORT(-nameoffset | 0xc000, p);
- }
- else
-- *p++ = 0;
-+ {
-+ CHECK_LIMIT(1);
-+ *p++ = 0;
-+ }
- }
-
-+ /* type (2) + class (2) + ttl (4) + rdlen (2) */
-+ CHECK_LIMIT(10);
-+
- PUTSHORT(type, p);
- PUTSHORT(class, p);
- PUTLONG(ttl, p); /* TTL */
---
-2.9.5
-
diff --git a/dnsmasq-2.77-CVE-2017-14491.patch b/dnsmasq-2.77-CVE-2017-14491.patch
deleted file mode 100644
index 9b62e90..0000000
--- a/dnsmasq-2.77-CVE-2017-14491.patch
+++ /dev/null
@@ -1,263 +0,0 @@
-From 445282d13b90712ef90d2c2141d0e19bb1d896d2 Mon Sep 17 00:00:00 2001
-From: Simon Kelley simon@thekelleys.org.uk
-Date: Mon, 25 Sep 2017 18:17:11 +0100
-Subject: [PATCH] Security fix, CVE-2017-14491 DNS heap buffer overflow.
-
-Fix heap overflow in DNS code. This is a potentially serious
-security hole. It allows an attacker who can make DNS
-requests to dnsmasq, and who controls the contents of
-a domain, which is thereby queried, to overflow
-(by 2 bytes) a heap buffer and either crash, or
-even take control of, dnsmasq.
-
-(original commit 0549c73b7ea6b22a3c49beb4d432f185a81efcbc)
----
- src/dnsmasq.h | 2 +-
- src/dnssec.c | 2 +-
- src/option.c | 2 +-
- src/rfc1035.c | 50 +++++++++++++++++++++++++++++++++++++++++---------
- src/rfc2131.c | 4 ++--
- src/rfc3315.c | 4 ++--
- src/util.c | 7 ++++++-
- 7 files changed, 54 insertions(+), 17 deletions(-)
-
-diff --git a/src/dnsmasq.h b/src/dnsmasq.h
-index 06fae35..7a18898 100644
---- a/src/dnsmasq.h
-+++ b/src/dnsmasq.h
-@@ -1179,7 +1179,7 @@ u32 rand32(void);
- u64 rand64(void);
- int legal_hostname(char *c);
- char *canonicalise(char *s, int *nomem);
--unsigned char *do_rfc1035_name(unsigned char *p, char *sval);
-+unsigned char *do_rfc1035_name(unsigned char *p, char *sval, char *limit);
- void *safe_malloc(size_t size);
- void safe_pipe(int *fd, int read_noblock);
- void *whine_malloc(size_t size);
-diff --git a/src/dnssec.c b/src/dnssec.c
-index 3330eef..b6cb55f 100644
---- a/src/dnssec.c
-+++ b/src/dnssec.c
-@@ -2230,7 +2230,7 @@ size_t dnssec_generate_query(struct dns_header *header, unsigned char *end, char
-
- p = (unsigned char *)(header+1);
-
-- p = do_rfc1035_name(p, name);
-+ p = do_rfc1035_name(p, name, NULL);
- *p++ = 0;
- PUTSHORT(type, p);
- PUTSHORT(class, p);
-diff --git a/src/option.c b/src/option.c
-index 064ef62..22bd19a 100644
---- a/src/option.c
-+++ b/src/option.c
-@@ -1415,7 +1415,7 @@ static int parse_dhcp_opt(char *errstr, char *arg, int flags)
- }
-
- p = newp;
-- end = do_rfc1035_name(p + len, dom);
-+ end = do_rfc1035_name(p + len, dom, NULL);
- *end++ = 0;
- len = end - p;
- free(dom);
-diff --git a/src/rfc1035.c b/src/rfc1035.c
-index 1671883..3397a26 100644
---- a/src/rfc1035.c
-+++ b/src/rfc1035.c
-@@ -1062,6 +1062,7 @@ int check_for_ignored_address(struct dns_header *header, size_t qlen, struct bog
- return 0;
- }
-
-+
- int add_resource_record(struct dns_header *header, char *limit, int *truncp, int nameoffset, unsigned char **pp,
- unsigned long ttl, int *offset, unsigned short type, unsigned short class, char *format, ...)
- {
-@@ -1071,12 +1072,21 @@ int add_resource_record(struct dns_header *header, char *limit, int *truncp, int
- unsigned short usval;
- long lval;
- char *sval;
-+#define CHECK_LIMIT(size) \
-+ if (limit && p + (size) > (unsigned char*)limit) \
-+ { \
-+ va_end(ap); \
-+ goto truncated; \
-+ }
-
- if (truncp && *truncp)
- return 0;
--
-+
- va_start(ap, format); /* make ap point to 1st unamed argument */
--
-+
-+ /* nameoffset (1 or 2) + type (2) + class (2) + ttl (4) + 0 (2) */
-+ CHECK_LIMIT(12);
-+
- if (nameoffset > 0)
- {
- PUTSHORT(nameoffset | 0xc000, p);
-@@ -1085,7 +1095,13 @@ int add_resource_record(struct dns_header *header, char *limit, int *truncp, int
- {
- char *name = va_arg(ap, char *);
- if (name)
-- p = do_rfc1035_name(p, name);
-+ p = do_rfc1035_name(p, name, limit);
-+ if (!p)
-+ {
-+ va_end(ap);
-+ goto truncated;
-+ }
-+
- if (nameoffset < 0)
- {
- PUTSHORT(-nameoffset | 0xc000, p);
-@@ -1106,6 +1122,7 @@ int add_resource_record(struct dns_header *header, char *limit, int *truncp, int
- {
- #ifdef HAVE_IPV6
- case '6':
-+ CHECK_LIMIT(IN6ADDRSZ);
- sval = va_arg(ap, char *);
- memcpy(p, sval, IN6ADDRSZ);
- p += IN6ADDRSZ;
-@@ -1113,36 +1130,47 @@ int add_resource_record(struct dns_header *header, char *limit, int *truncp, int
- #endif
-
- case '4':
-+ CHECK_LIMIT(INADDRSZ);
- sval = va_arg(ap, char *);
- memcpy(p, sval, INADDRSZ);
- p += INADDRSZ;
- break;
-
- case 'b':
-+ CHECK_LIMIT(1);
- usval = va_arg(ap, int);
- *p++ = usval;
- break;
-
- case 's':
-+ CHECK_LIMIT(2);
- usval = va_arg(ap, int);
- PUTSHORT(usval, p);
- break;
-
- case 'l':
-+ CHECK_LIMIT(4);
- lval = va_arg(ap, long);
- PUTLONG(lval, p);
- break;
-
- case 'd':
-- /* get domain-name answer arg and store it in RDATA field */
-- if (offset)
-- *offset = p - (unsigned char *)header;
-- p = do_rfc1035_name(p, va_arg(ap, char *));
-- *p++ = 0;
-+ /* get domain-name answer arg and store it in RDATA field */
-+ if (offset)
-+ *offset = p - (unsigned char *)header;
-+ p = do_rfc1035_name(p, va_arg(ap, char *), limit);
-+ if (!p)
-+ {
-+ va_end(ap);
-+ goto truncated;
-+ }
-+ CHECK_LIMIT(1);
-+ *p++ = 0;
- break;
-
- case 't':
- usval = va_arg(ap, int);
-+ CHECK_LIMIT(usval);
- sval = va_arg(ap, char *);
- if (usval != 0)
- memcpy(p, sval, usval);
-@@ -1154,20 +1182,24 @@ int add_resource_record(struct dns_header *header, char *limit, int *truncp, int
- usval = sval ? strlen(sval) : 0;
- if (usval > 255)
- usval = 255;
-+ CHECK_LIMIT(usval + 1);
- *p++ = (unsigned char)usval;
- memcpy(p, sval, usval);
- p += usval;
- break;
- }
-
-+#undef CHECK_LIMIT
- va_end(ap); /* clean up variable argument pointer */
-
- j = p - sav - 2;
-- PUTSHORT(j, sav); /* Now, store real RDLength */
-+ /* this has already been checked against limit before */
-+ PUTSHORT(j, sav); /* Now, store real RDLength */
-
- /* check for overflow of buffer */
- if (limit && ((unsigned char *)limit - p) < 0)
- {
-+truncated:
- if (truncp)
- *truncp = 1;
- return 0;
-diff --git a/src/rfc2131.c b/src/rfc2131.c
-index a679470..052498c 100644
---- a/src/rfc2131.c
-+++ b/src/rfc2131.c
-@@ -2454,10 +2454,10 @@ static void do_options(struct dhcp_context *context,
-
- if (fqdn_flags & 0x04)
- {
-- p = do_rfc1035_name(p, hostname);
-+ p = do_rfc1035_name(p, hostname, NULL);
- if (domain)
- {
-- p = do_rfc1035_name(p, domain);
-+ p = do_rfc1035_name(p, domain, NULL);
- *p++ = 0;
- }
- }
-diff --git a/src/rfc3315.c b/src/rfc3315.c
-index 054ecd0..715b6db 100644
---- a/src/rfc3315.c
-+++ b/src/rfc3315.c
-@@ -1479,10 +1479,10 @@ static struct dhcp_netid *add_options(struct state *state, int do_refresh)
- if ((p = expand(len + 2)))
- {
- *(p++) = state->fqdn_flags;
-- p = do_rfc1035_name(p, state->hostname);
-+ p = do_rfc1035_name(p, state->hostname, NULL);
- if (state->send_domain)
- {
-- p = do_rfc1035_name(p, state->send_domain);
-+ p = do_rfc1035_name(p, state->send_domain, NULL);
- *p = 0;
- }
- }
-diff --git a/src/util.c b/src/util.c
-index 145e53a..471faa9 100644
---- a/src/util.c
-+++ b/src/util.c
-@@ -227,15 +227,20 @@ char *canonicalise(char *in, int *nomem)
- return ret;
- }
-
--unsigned char *do_rfc1035_name(unsigned char *p, char *sval)
-+unsigned char *do_rfc1035_name(unsigned char *p, char *sval, char *limit)
- {
- int j;
-
- while (sval && *sval)
- {
-+ if (limit && p + 1 > (unsigned char*)limit)
-+ return p;
-+
- unsigned char *cp = p++;
- for (j = 0; *sval && (*sval != '.'); sval++, j++)
- {
-+ if (limit && p + 1 > (unsigned char*)limit)
-+ return p;
- #ifdef HAVE_DNSSEC
- if (option_bool(OPT_DNSSEC_VALID) && *sval == NAME_ESCAPE)
- *p++ = (*(++sval))-1;
---
-2.9.5
-
diff --git a/dnsmasq-2.77-CVE-2017-14492.patch b/dnsmasq-2.77-CVE-2017-14492.patch
deleted file mode 100644
index 1430b4c..0000000
--- a/dnsmasq-2.77-CVE-2017-14492.patch
+++ /dev/null
@@ -1,30 +0,0 @@
-From 24036ea507862c7b7898b68289c8130f85599c10 Mon Sep 17 00:00:00 2001
-From: Simon Kelley
simon@thekelleys.org.uk
-Date: Mon, 25 Sep 2017 18:47:15 +0100
-Subject: [PATCH 3/9] Security fix, CVE-2017-14492, DHCPv6 RA heap overflow.
-
-Fix heap overflow in IPv6 router advertisement code.
-This is a potentially serious security hole, as a
-crafted RA request can overflow a buffer and crash or
-control dnsmasq. Attacker must be on the local network.
----
- src/radv.c | 3 +++
- 1 file changed, 3 insertions(+)
-
-diff --git a/src/radv.c b/src/radv.c
-index 1032189..9b7e52c 100644
---- a/src/radv.c
-+++ b/src/radv.c
-@@ -198,6 +198,9 @@ void icmp6_packet(time_t now)
- /* look for link-layer address option for logging */
- if (sz >= 16 && packet[8] == ICMP6_OPT_SOURCE_MAC && (packet[9] * 8) + 8 <= sz)
- {
-+ if ((packet[9] * 8 - 2) * 3 - 1 >= MAXDNAME) {
-+ return;
-+ }
- print_mac(daemon->namebuff, &packet[10], (packet[9] * 8) - 2);
- mac = daemon->namebuff;
- }
---
-2.9.5
-
diff --git a/dnsmasq-2.77-CVE-2017-14493.patch b/dnsmasq-2.77-CVE-2017-14493.patch
deleted file mode 100644
index d80553c..0000000
--- a/dnsmasq-2.77-CVE-2017-14493.patch
+++ /dev/null
@@ -1,30 +0,0 @@
-From 3d4ff1ba8419546490b464418223132529514033 Mon Sep 17 00:00:00 2001
-From: Simon Kelley
simon@thekelleys.org.uk
-Date: Mon, 25 Sep 2017 18:52:50 +0100
-Subject: [PATCH 4/9] Security fix, CVE-2017-14493, DHCPv6 - Stack buffer
- overflow.
-
-Fix stack overflow in DHCPv6 code. An attacker who can send
-a DHCPv6 request to dnsmasq can overflow the stack frame and
-crash or control dnsmasq.
----
- src/rfc3315.c | 3 +++
- 1 file changed, 3 insertions(+)
-
-diff --git a/src/rfc3315.c b/src/rfc3315.c
-index 1687931..920907c 100644
---- a/src/rfc3315.c
-+++ b/src/rfc3315.c
-@@ -206,6 +206,9 @@ static int dhcp6_maybe_relay(struct state *state, void *inbuff, size_t sz,
- /* RFC-6939 */
- if ((opt = opt6_find(opts, end, OPTION6_CLIENT_MAC, 3)))
- {
-+ if (opt6_len(opt) - 2 > DHCP_CHADDR_MAX) {
-+ return 0;
-+ }
- state->mac_type = opt6_uint(opt, 0, 2);
- state->mac_len = opt6_len(opt) - 2;
- memcpy(&state->mac[0], opt6_ptr(opt, 2), state->mac_len);
---
-2.9.5
-
diff --git a/dnsmasq-2.77-CVE-2017-14494.patch b/dnsmasq-2.77-CVE-2017-14494.patch
deleted file mode 100644
index 7b49907..0000000
--- a/dnsmasq-2.77-CVE-2017-14494.patch
+++ /dev/null
@@ -1,30 +0,0 @@
-From 33e3f1029c9ec6c63e430ff51063a6301d4b2262 Mon Sep 17 00:00:00 2001
-From: Simon Kelley
simon@thekelleys.org.uk
-Date: Mon, 25 Sep 2017 20:05:11 +0100
-Subject: [PATCH 5/9] Security fix, CVE-2017-14494, Infoleak handling DHCPv6
- forwarded requests.
-
-Fix information leak in DHCPv6. A crafted DHCPv6 packet can
-cause dnsmasq to forward memory from outside the packet
-buffer to a DHCPv6 server when acting as a relay.
----
- src/rfc3315.c | 3 +++
- 1 file changed, 3 insertions(+)
-
-diff --git a/src/rfc3315.c b/src/rfc3315.c
-index 920907c..4ca43e0 100644
---- a/src/rfc3315.c
-+++ b/src/rfc3315.c
-@@ -216,6 +216,9 @@ static int dhcp6_maybe_relay(struct state *state, void *inbuff, size_t sz,
-
- for (opt = opts; opt; opt = opt6_next(opt, end))
- {
-+ if (opt6_ptr(opt, 0) + opt6_len(opt) >= end) {
-+ return 0;
-+ }
- int o = new_opt6(opt6_type(opt));
- if (opt6_type(opt) == OPTION6_RELAY_MSG)
- {
---
-2.9.5
-
diff --git a/dnsmasq-2.77-CVE-2017-14495.patch b/dnsmasq-2.77-CVE-2017-14495.patch
deleted file mode 100644
index 0f793aa..0000000
--- a/dnsmasq-2.77-CVE-2017-14495.patch
+++ /dev/null
@@ -1,41 +0,0 @@
-From 51eadb692a5123b9838e5a68ecace3ac579a3a45 Mon Sep 17 00:00:00 2001
-From: Simon Kelley
simon@thekelleys.org.uk
-Date: Mon, 25 Sep 2017 20:16:50 +0100
-Subject: [PATCH 7/9] Security fix, CVE-2017-14495, OOM in DNS response
- creation.
-
-Fix out-of-memory Dos vulnerability. An attacker which can
-send malicious DNS queries to dnsmasq can trigger memory
-allocations in the add_pseudoheader function
-The allocated memory is never freed which leads to a DoS
-through memory exhaustion. dnsmasq is vulnerable only
-if one of the following option is specified:
---add-mac, --add-cpe-id or --add-subnet.
----
- src/edns0.c | 8 +++++++-
- 1 file changed, 7 insertions(+), 1 deletion(-)
-
-diff --git a/src/edns0.c b/src/edns0.c
-index 95b74ee..89b2692 100644
---- a/src/edns0.c
-+++ b/src/edns0.c
-@@ -192,9 +192,15 @@ size_t add_pseudoheader(struct dns_header *header, size_t plen, unsigned char *l
- !(p = skip_section(p,
- ntohs(header->ancount) + ntohs(header->nscount) + ntohs(header->arcount),
- header, plen)))
-+ {
-+ free(buff);
- return plen;
-+ }
- if (p + 11 > limit)
-- return plen; /* Too big */
-+ {
-+ free(buff);
-+ return plen; /* Too big */
-+ }
- *p++ = 0; /* empty name */
- PUTSHORT(T_OPT, p);
- PUTSHORT(udp_sz, p); /* max packet length, 512 if not given in EDNS0 header */
---
-2.9.5
-
diff --git a/dnsmasq-2.77-CVE-2017-14496.patch b/dnsmasq-2.77-CVE-2017-14496.patch
deleted file mode 100644
index 36420e8..0000000
--- a/dnsmasq-2.77-CVE-2017-14496.patch
+++ /dev/null
@@ -1,66 +0,0 @@
-From 897c113fda0886a28a986cc6ba17bb93bd6cb1c7 Mon Sep 17 00:00:00 2001
-From: Simon Kelley
simon@thekelleys.org.uk
-Date: Mon, 25 Sep 2017 20:11:58 +0100
-Subject: [PATCH 6/9] Security fix, CVE-2017-14496, Integer underflow in DNS
- response creation.
-
-Fix DoS in DNS. Invalid boundary checks in the
-add_pseudoheader function allows a memcpy call with negative
-size An attacker which can send malicious DNS queries
-to dnsmasq can trigger a DoS remotely.
-dnsmasq is vulnerable only if one of the following option is
-specified: --add-mac, --add-cpe-id or --add-subnet.
----
- src/edns0.c | 13 ++++++++++++-
- 1 file changed, 12 insertions(+), 1 deletion(-)
-
-diff --git a/src/edns0.c b/src/edns0.c
-index f5b798c..95b74ee 100644
---- a/src/edns0.c
-+++ b/src/edns0.c
-@@ -144,7 +144,7 @@ size_t add_pseudoheader(struct dns_header *header, size_t plen, unsigned char *l
- GETSHORT(len, p);
-
- /* malformed option, delete the whole OPT RR and start again. */
-- if (i + len > rdlen)
-+ if (i + 4 + len > rdlen)
- {
- rdlen = 0;
- is_last = 0;
-@@ -193,6 +193,8 @@ size_t add_pseudoheader(struct dns_header *header, size_t plen, unsigned char *l
- ntohs(header->ancount) + ntohs(header->nscount) + ntohs(header->arcount),
- header, plen)))
- return plen;
-+ if (p + 11 > limit)
-+ return plen; /* Too big */
- *p++ = 0; /* empty name */
- PUTSHORT(T_OPT, p);
- PUTSHORT(udp_sz, p); /* max packet length, 512 if not given in EDNS0 header */
-@@ -204,6 +206,11 @@ size_t add_pseudoheader(struct dns_header *header, size_t plen, unsigned char *l
- /* Copy back any options */
- if (buff)
- {
-+ if (p + rdlen > limit)
-+ {
-+ free(buff);
-+ return plen; /* Too big */
-+ }
- memcpy(p, buff, rdlen);
- free(buff);
- p += rdlen;
-@@ -220,8 +227,12 @@ size_t add_pseudoheader(struct dns_header *header, size_t plen, unsigned char *l
- /* Add new option */
- if (optno != 0 && replace != 2)
- {
-+ if (p + 4 > limit)
-+ return plen; /* Too big */
- PUTSHORT(optno, p);
- PUTSHORT(optlen, p);
-+ if (p + optlen > limit)
-+ return plen; /* Too big */
- memcpy(p, opt, optlen);
- p += optlen;
- PUTSHORT(p - datap, lenp);
---
-2.9.5
-
diff --git a/dnsmasq-2.77-arcount.patch b/dnsmasq-2.77-arcount.patch
deleted file mode 100644
index e6bf0d7..0000000
--- a/dnsmasq-2.77-arcount.patch
+++ /dev/null
@@ -1,44 +0,0 @@
-From a3303e196e5d304ec955c4d63afb923ade66c6e8 Mon Sep 17 00:00:00 2001
-From: Simon Kelley
simon@thekelleys.org.uk
-Date: Thu, 7 Sep 2017 20:45:00 +0100
-Subject: [PATCH] Don't return arcount=1 if EDNS0 RR won't fit in the packet.
-
-Omitting the EDNS0 RR but setting arcount gives a malformed packet.
-Also, don't accept UDP packet size less than 512 in recieved EDNS0.
----
- src/edns0.c | 5 ++++-
- src/forward.c | 2 ++
- 2 files changed, 6 insertions(+), 1 deletion(-)
-
-diff --git a/src/edns0.c b/src/edns0.c
-index 3fde17f..f5b798c 100644
---- a/src/edns0.c
-+++ b/src/edns0.c
-@@ -208,7 +208,10 @@ size_t add_pseudoheader(struct dns_header *header, size_t plen, unsigned char *l
- free(buff);
- p += rdlen;
- }
-- header->arcount = htons(ntohs(header->arcount) + 1);
-+
-+ /* Only bump arcount if RR is going to fit */
-+ if (((ssize_t)optlen) <= (limit - (p + 4)))
-+ header->arcount = htons(ntohs(header->arcount) + 1);
- }
-
- if (((ssize_t)optlen) > (limit - (p + 4)))
-diff --git a/src/forward.c b/src/forward.c
-index e3fa94b..942b02d 100644
---- a/src/forward.c
-+++ b/src/forward.c
-@@ -1412,6 +1412,8 @@ void receive_query(struct listener *listen, time_t now)
- defaults to 512 */
- if (udp_size > daemon->edns_pktsz)
- udp_size = daemon->edns_pktsz;
-+ else if (udp_size < PACKETSZ)
-+ udp_size = PACKETSZ; /* Sanity check - can't reduce below default. RFC 6891 6.2.3 */
- }
-
- #ifdef HAVE_AUTH
---
-2.9.5
-
diff --git a/dnsmasq-2.77-misc-cleanups.patch b/dnsmasq-2.77-misc-cleanups.patch
deleted file mode 100644
index 1c7edd7..0000000
--- a/dnsmasq-2.77-misc-cleanups.patch
+++ /dev/null
@@ -1,63 +0,0 @@
-From 6a0b00f0d66490e074323d04782e75c4ba8a3f8d Mon Sep 17 00:00:00 2001
-From: Simon Kelley
simon@thekelleys.org.uk
-Date: Mon, 25 Sep 2017 20:19:55 +0100
-Subject: [PATCH 8/9] Misc code cleanups arising from Google analysis. No
- security impleications or CVEs.
-
----
- src/edns0.c | 2 +-
- src/rfc1035.c | 4 +++-
- src/rfc2131.c | 2 +-
- 3 files changed, 5 insertions(+), 3 deletions(-)
-
-diff --git a/src/edns0.c b/src/edns0.c
-index 89b2692..7ed5a47 100644
---- a/src/edns0.c
-+++ b/src/edns0.c
-@@ -159,7 +159,7 @@ size_t add_pseudoheader(struct dns_header *header, size_t plen, unsigned char *l
- /* delete option if we're to replace it. */
- p -= 4;
- rdlen -= len + 4;
-- memcpy(p, p+len+4, rdlen - i);
-+ memmove(p, p+len+4, rdlen - i);
- PUTSHORT(rdlen, lenp);
- lenp -= 2;
- }
-diff --git a/src/rfc1035.c b/src/rfc1035.c
-index 826f8a4..27af023 100644
---- a/src/rfc1035.c
-+++ b/src/rfc1035.c
-@@ -37,7 +37,7 @@ int extract_name(struct dns_header *header, size_t plen, unsigned char **pp,
- /* end marker */
- {
- /* check that there are the correct no of bytes after the name */
-- if (!CHECK_LEN(header, p, plen, extrabytes))
-+ if (!CHECK_LEN(header, p1 ? p1 : p, plen, extrabytes))
- return 0;
-
- if (isExtract)
-@@ -498,6 +498,8 @@ static unsigned char *do_doctor(unsigned char *p, int count, struct dns_header *
- {
- unsigned int i, len = *p1;
- unsigned char *p2 = p1;
-+ if ((p1 + len - p) >= rdlen)
-+ return 0; /* bad packet */
- /* make counted string zero-term and sanitise */
- for (i = 0; i < len; i++)
- {
-diff --git a/src/rfc2131.c b/src/rfc2131.c
-index f7c1f80..f3a7e53 100644
---- a/src/rfc2131.c
-+++ b/src/rfc2131.c
-@@ -157,7 +157,7 @@ size_t dhcp_reply(struct dhcp_context *context, char *iface_name, int int_index,
- for (offset = 0; offset < (len - 5); offset += elen + 5)
- {
- elen = option_uint(opt, offset + 4 , 1);
-- if (option_uint(opt, offset, 4) == BRDBAND_FORUM_IANA)
-+ if (option_uint(opt, offset, 4) == BRDBAND_FORUM_IANA && offset + elen + 5 <= len)
- {
- unsigned char *x = option_ptr(opt, offset + 5);
- unsigned char *y = option_ptr(opt, offset + elen + 5);
---
-2.9.5
-
diff --git a/dnsmasq-2.77-stdio.h.patch b/dnsmasq-2.77-stdio.h.patch
deleted file mode 100644
index dc53025..0000000
--- a/dnsmasq-2.77-stdio.h.patch
+++ /dev/null
@@ -1,44 +0,0 @@
-From b476faf1c4f96c093ea1a8a0c824dea9f55b665f Mon Sep 17 00:00:00 2001
-From: Christian Hesse
list@eworm.de
-Date: Mon, 25 Sep 2017 17:36:24 +0100
-Subject: [PATCH] Do not include stdio.h before dnsmasq.h
-
-We define some constants in dnsmasq.h, which have an influence on
-stdio.h. So do not include stdio.h before dnsmasq.h.
----
- src/dnsmasq.h | 6 ++++++
- src/helper.c | 1 -
- 2 files changed, 6 insertions(+), 1 deletion(-)
-
-diff --git a/src/dnsmasq.h b/src/dnsmasq.h
-index 7a18898..421488b 100644
---- a/src/dnsmasq.h
-+++ b/src/dnsmasq.h
-@@ -16,6 +16,12 @@
-
- #define COPYRIGHT "Copyright (c) 2000-2016 Simon Kelley"
-
-+/* We do defines that influence behavior of stdio.h, so complain
-+ if included too early. */
-+#ifdef _STDIO_H
-+# error "Header file stdio.h included too early!"
-+#endif
-+
- #ifndef NO_LARGEFILE
- /* Ensure we can use files >2GB (log files may grow this big) */
- # define _LARGEFILE_SOURCE 1
-diff --git a/src/helper.c b/src/helper.c
-index 4fffa27..68ce9a7 100644
---- a/src/helper.c
-+++ b/src/helper.c
-@@ -14,7 +14,6 @@
- along with this program. If not, see
http://www.gnu.org/licenses/.
- */
-
--#include <stdio.h>
- #include "dnsmasq.h"
-
- #ifdef HAVE_SCRIPT
---
-2.9.5
-
diff --git a/dnsmasq.spec b/dnsmasq.spec
index ec4e468..af552d2 100644
--- a/dnsmasq.spec
+++ b/dnsmasq.spec
@@ -12,8 +12,8 @@
%define _hardened_build 1
Name: dnsmasq
-Version: 2.77
-Release: 9%{?extraversion:.%{extraversion}}%{?dist}
+Version: 2.78
+Release: 1%{?extraversion:.%{extraversion}}%{?dist}
Summary: A lightweight DHCP/caching DNS server
Group: System Environment/Daemons
@@ -22,18 +22,8 @@ URL:
http://www.thekelleys.org.uk/dnsmasq/
Source0:
http://www.thekelleys.org.uk/dnsmasq/%%7B?extrapath%7D%%7Bname%7D-%%7Bversio...
Source1: %{name}.service
-Patch1: dnsmasq-2.77-CVE-2017-13704.patch
-Patch2: dnsmasq-2.77-CVE-2017-14491.patch
-Patch3: dnsmasq-2.77-CVE-2017-14492.patch
-Patch4: dnsmasq-2.77-CVE-2017-14493.patch
-Patch5: dnsmasq-2.77-CVE-2017-14494.patch
-Patch6: dnsmasq-2.77-CVE-2017-14496.patch
-Patch7: dnsmasq-2.77-CVE-2017-14495.patch
-Patch8: dnsmasq-2.77-misc-cleanups.patch
-Patch9: dnsmasq-2.77-CVE-2017-14491-2.patch
-Patch10: dnsmasq-2.77-stdio.h.patch
-Patch11: dnsmasq-2.77-arcount.patch
-Patch12: dnsmasq-2.77-underflow.patch
+#
https://bugzilla.redhat.com/show_bug.cgi?id=1495409
+Patch1: dnsmasq-2.77-underflow.patch
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
@@ -68,18 +58,7 @@ query/remove a DHCP server's leases.
%prep
%setup -q -n %{name}-%{version}%{?extraversion}
-%patch1 -p1 -b .CVE-2017-13704
-%patch2 -p1 -b .CVE-2017-14491
-%patch3 -p1 -b .CVE-2017-14492
-%patch4 -p1 -b .CVE-2017-14493
-%patch5 -p1 -b .CVE-2017-14494
-%patch6 -p1 -b .CVE-2017-14496
-%patch7 -p1 -b .CVE-2017-14495
-%patch8 -p1 -b .misc-cleanups
-%patch9 -p1 -b .CVE-2017-14491-2
-%patch10 -p1 -b .stdio.h
-%patch11 -p1 -b .arcount
-%patch12 -p1 -b .underflow
+%patch1 -p1 -b .underflow
# use /var/lib/dnsmasq instead of /var/lib/misc
for file in dnsmasq.conf.example man/dnsmasq.8 man/es/dnsmasq.8 src/config.h; do
@@ -166,6 +145,9 @@ rm -rf $RPM_BUILD_ROOT
%{_mandir}/man1/dhcp_*
%changelog
+* Tue Oct 03 2017 Petr Menšík
pemensik@redhat.com - 2.78-1
+- Rebase to 2.78
+
* Tue Oct 03 2017 Petr Menšík
pemensik@redhat.com - 2.77-9
- More patches related to CVE-2017-14491
diff --git a/sources b/sources
index 8d29c8c..ed48c35 100644
--- a/sources
+++ b/sources
@@ -1 +1 @@
-SHA512 (dnsmasq-2.77.tar.xz) = 6ca98a71a8fdfd606e29c58b34dadfa63148c39f931570cca67a287e044d52c6ec2f8acbf5620ada3312e9db3a2fd63877188d829c070beaa730607e3309e768
+SHA512 (dnsmasq-2.78.tar.xz) = 9b79b84e5a768d52f90f6335ccef2c404ecd7a13e78e49f4cd0755fffc6cf34d0dc96ad4c72cad1dab3c5743a8d0d789b3e9b6e625b03c5675bb898ca61a698b
https://src.fedoraproject.org/rpms/dnsmasq/c/1447e0aebc6b23107b7997a8e523982...