busybox: Security fix CVE-2016-2147
busybox <= 1.24.2 (From OE-Core rev: 8a7a392ef37b3d5bd8ef81ab17d976696ad64dfe) Signed-off-by: Armin Kuster <akuster@mvista.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
This commit is contained in:
parent
2928ca48e9
commit
9f3d7ae8f6
|
@ -0,0 +1,57 @@
|
|||
From d474ffc68290e0a83651c4432eeabfa62cd51e87 Mon Sep 17 00:00:00 2001
|
||||
From: Denys Vlasenko <vda.linux@googlemail.com>
|
||||
Date: Thu, 10 Mar 2016 11:47:58 +0100
|
||||
Subject: [PATCH] udhcp: fix a SEGV on malformed RFC1035-encoded domain name
|
||||
|
||||
Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
|
||||
|
||||
Upstream-Status: Backport
|
||||
CVE: CVE-2016-2147
|
||||
|
||||
https://git.busybox.net/busybox/commit/?id=d474ffc
|
||||
Signed-off-by: Armin Kuster <akuster@mvista.com>
|
||||
|
||||
---
|
||||
networking/udhcp/domain_codec.c | 13 +++++++++----
|
||||
1 file changed, 9 insertions(+), 4 deletions(-)
|
||||
|
||||
Index: busybox-1.23.2/networking/udhcp/domain_codec.c
|
||||
===================================================================
|
||||
--- busybox-1.23.2.orig/networking/udhcp/domain_codec.c
|
||||
+++ busybox-1.23.2/networking/udhcp/domain_codec.c
|
||||
@@ -63,11 +63,10 @@ char* FAST_FUNC dname_dec(const uint8_t
|
||||
if (crtpos + *c + 1 > clen) /* label too long? abort */
|
||||
return NULL;
|
||||
if (dst)
|
||||
- memcpy(dst + len, c + 1, *c);
|
||||
+ /* \3com ---> "com." */
|
||||
+ ((char*)mempcpy(dst + len, c + 1, *c))[0] = '.';
|
||||
len += *c + 1;
|
||||
crtpos += *c + 1;
|
||||
- if (dst)
|
||||
- dst[len - 1] = '.';
|
||||
} else {
|
||||
/* NUL: end of current domain name */
|
||||
if (retpos == 0) {
|
||||
@@ -78,7 +77,10 @@ char* FAST_FUNC dname_dec(const uint8_t
|
||||
crtpos = retpos;
|
||||
retpos = depth = 0;
|
||||
}
|
||||
- if (dst)
|
||||
+ if (dst && len != 0)
|
||||
+ /* \4host\3com\0\4host and we are at \0:
|
||||
+ * \3com was converted to "com.", change dot to space.
|
||||
+ */
|
||||
dst[len - 1] = ' ';
|
||||
}
|
||||
|
||||
@@ -228,6 +230,9 @@ int main(int argc, char **argv)
|
||||
int len;
|
||||
uint8_t *encoded;
|
||||
|
||||
+ uint8_t str[6] = { 0x00, 0x00, 0x02, 0x65, 0x65, 0x00 };
|
||||
+ printf("NUL:'%s'\n", dname_dec(str, 6, ""));
|
||||
+
|
||||
#define DNAME_DEC(encoded,pre) dname_dec((uint8_t*)(encoded), sizeof(encoded), (pre))
|
||||
printf("'%s'\n", DNAME_DEC("\4host\3com\0", "test1:"));
|
||||
printf("test2:'%s'\n", DNAME_DEC("\4host\3com\0\4host\3com\0", ""));
|
|
@ -0,0 +1,32 @@
|
|||
From 1b7c17391de66502dd7a97c866e0a33681edbb1f Mon Sep 17 00:00:00 2001
|
||||
From: Denys Vlasenko <vda.linux@googlemail.com>
|
||||
Date: Fri, 11 Mar 2016 00:26:58 +0100
|
||||
Subject: [PATCH] udhcpc: fix a warning in debug code
|
||||
|
||||
Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
|
||||
Upsteam-Status: Backport
|
||||
CVE: CVE-2016-2147 regression fix
|
||||
|
||||
https://git.busybox.net/busybox/commit/?id=1b7c17
|
||||
|
||||
Signed-off-by: Armin Kuster <akuster@mvista.com>
|
||||
|
||||
---
|
||||
networking/udhcp/domain_codec.c | 1 +
|
||||
1 file changed, 1 insertion(+)
|
||||
|
||||
diff --git a/networking/udhcp/domain_codec.c b/networking/udhcp/domain_codec.c
|
||||
index cee31f1..5a923cc 100644
|
||||
--- a/networking/udhcp/domain_codec.c
|
||||
+++ b/networking/udhcp/domain_codec.c
|
||||
@@ -7,6 +7,7 @@
|
||||
* Licensed under GPLv2 or later, see file LICENSE in this source tree.
|
||||
*/
|
||||
#ifdef DNS_COMPR_TESTING
|
||||
+# define _GNU_SOURCE
|
||||
# define FAST_FUNC /* nothing */
|
||||
# define xmalloc malloc
|
||||
# include <stdlib.h>
|
||||
--
|
||||
2.3.5
|
||||
|
|
@ -45,6 +45,8 @@ SRC_URI = "http://www.busybox.net/downloads/busybox-${PV}.tar.bz2;name=tarball \
|
|||
file://rcK \
|
||||
file://runlevel \
|
||||
file://CVE-2016-2148.patch \
|
||||
file://CVE-2016-2147.patch \
|
||||
file://CVE-2016-2147_2.patch \
|
||||
"
|
||||
SRC_URI_append_libc-musl = " file://musl.cfg "
|
||||
|
||||
|
|
Loading…
Reference in New Issue