File adns-1.5.1-CVE-2017-9106.patch of Package adns.15332
A merger of these 2 patches:
-----
From 54d811a530e9cf16148998cd9fdd168dbf8e14d5 Mon Sep 17 00:00:00 2001
From: Ian Jackson <ijackson@chiark.greenend.org.uk>
Date: Sat, 3 Dec 2016 14:51:18 +0000
Subject: [PATCH 06/32] cs_inthost*: Break out csp_intofinthost
No functional change.
This removes some duplication, enabling the following security patch
to fix just the one copy.
Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>
---
src/types.c | 17 +++++++++++------
1 file changed, 11 insertions(+), 6 deletions(-)
-----
From 37792aacaf7abbcdac6a02715a5ef794b5147f13 Mon Sep 17 00:00:00 2001
From: Ian Jackson <ijackson@chiark.greenend.org.uk>
Date: Sat, 3 Dec 2016 14:51:54 +0000
Subject: [PATCH 07/32] SECURITY: Defend adns_rr_info (somewhat) from bogus
*datap
The general pattern for formatting integers is to sprintf into a
fixed-size buffer. This is correct if the input is in the right
range; if it isn't, the buffer may be overrun (depending on the sizes
of the types on the current platform).
Of course the inputs ought to be right. And there are pointers in
there too, so perhaps we could say that the caller ought to check
these things. I think it's better to require the caller to make the
pointer structure right, but to have the code here be defensive about
(and tolerate with an erro but without crashing) out-of-range integer
values.
So: defend each of these integer conversion sites with a check for the
actual permitted range, and return adns_s_invaliddata if not.
The lack of this check causes the SOA sign extension bug to be a
serious security problem: the sign extended SOA value is out of range,
and will overrun the buffer when reconverted.
Found by AFL 2.35b. CVE-2017-9106.
Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>
---
src/types.c | 13 +++++++++++++
1 file changed, 13 insertions(+)
Index: adns-1.5.1/src/types.c
===================================================================
--- adns-1.5.1.orig/src/types.c
+++ adns-1.5.1/src/types.c
@@ -1108,13 +1108,23 @@ static void mf_inthostaddr(adns_query qu
mfp_hostaddr(qu,&rrp->ha);
}
-static adns_status cs_inthostaddr(vbuf *vb, const void *datap) {
- const adns_rr_inthostaddr *rrp= datap;
+static adns_status csp_intofinthost(vbuf *vb, int i) {
char buf[10];
- sprintf(buf,"%u ",rrp->i);
+ if (i < 0 || i > 0xffff)
+ /* currently only used for MX whose priorities are 16-bit */
+ return adns_s_invaliddata;
+
+ sprintf(buf,"%u ",i);
CSP_ADDSTR(buf);
+ return adns_s_ok;
+}
+static adns_status cs_inthostaddr(vbuf *vb, const void *datap) {
+ const adns_rr_inthostaddr *rrp= datap;
+ adns_status st;
+
+ st = csp_intofinthost(vb,rrp->i); if (st) return st;
return csp_hostaddr(vb,&rrp->ha);
}
@@ -1124,10 +1134,9 @@ static adns_status cs_inthostaddr(vbuf *
static adns_status cs_inthost(vbuf *vb, const void *datap) {
const adns_rr_intstr *rrp= datap;
- char buf[10];
+ adns_status st;
- sprintf(buf,"%u ",rrp->i);
- CSP_ADDSTR(buf);
+ st = csp_intofinthost(vb,rrp->i); if (st) return st;
return csp_domain(vb,rrp->str);
}
@@ -1409,6 +1418,8 @@ static adns_status cs_soa(vbuf *vb, cons
st= csp_mailbox(vb,rrp->rname); if (st) return st;
for (i=0; i<5; i++) {
+ if (rrp->serial > 0xffffffffUL)
+ return adns_s_invaliddata;
sprintf(buf," %lu",(&rrp->serial)[i]);
CSP_ADDSTR(buf);
}
@@ -1497,6 +1508,10 @@ static int di_srv(adns_state ads, const
static adns_status csp_srv_begin(vbuf *vb, const adns_rr_srvha *rrp
/* might be adns_rr_srvraw* */) {
char buf[30];
+ if (rrp->priority < 0 || rrp->priority > 0xffff ||
+ rrp->weight < 0 || rrp->weight > 0xffff ||
+ rrp->port < 0 || rrp->port > 0xffff)
+ return adns_s_invaliddata;
sprintf(buf,"%u %u %u ", rrp->priority, rrp->weight, rrp->port);
CSP_ADDSTR(buf);
return adns_s_ok;
@@ -1612,6 +1627,9 @@ static adns_status cs_opaque(vbuf *vb, c
int l;
unsigned char *p;
+ if (rrp->len < 0 || rrp->len > 0xffff)
+ return adns_s_invaliddata;
+
sprintf(buf,"\\# %d",rrp->len);
CSP_ADDSTR(buf);
