package/busybox/0005-fix-CVE-2016-2148.patch - buildroot - Git at Google

 From 3a76bb5136d05f94ee62e377aa723e63444912c7 Mon Sep 17 00:00:00 2001
 From: Denys Vlasenko <vda.linux@googlemail.com>
 Date: Thu, 10 Mar 2016 11:47:58 +0100
 Subject: [PATCH] udhcp: fix a SEGV on malformed RFC1035-encoded domain name

 Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
 Signed-off-by: Mike Frysinger <vapier@gentoo.org>
 (cherry picked from commit d474ffc68290e0a83651c4432eeabfa62cd51e87)
 Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar>
 ---
  networking/udhcp/domain_codec.c | 13 +++++++++----
  1 file changed, 9 insertions(+), 4 deletions(-)

 diff --git a/networking/udhcp/domain_codec.c b/networking/udhcp/domain_codec.c
 index c1325d8..8429367 100644
 --- a/networking/udhcp/domain_codec.c
 +++ b/networking/udhcp/domain_codec.c
 @@ -63,11 +63,10 @@ char* FAST_FUNC dname_dec(const uint8_t *cstr, int clen, const char *pre)
  				if (crtpos + *c + 1 > clen) /* label too long? abort */
  					return NULL;
  				if (dst)
 -					memcpy(dst + len, c + 1, *c);
 +					/* \3com ---> "com." */
 +					((char*)mempcpy(dst + len, c + 1, *c))[0] = '.';
  				len += *c + 1;
  				crtpos += *c + 1;
 -				if (dst)
 -					dst[len - 1] = '.';
  			} else {
  				/* NUL: end of current domain name */
  				if (retpos == 0) {
 @@ -78,7 +77,10 @@ char* FAST_FUNC dname_dec(const uint8_t *cstr, int clen, const char *pre)
  					crtpos = retpos;
  					retpos = depth = 0;
  				}
 -				if (dst)
 +				if (dst && len != 0)
 +					/* \4host\3com\0\4host and we are at \0:
 +					 * \3com was converted to "com.", change dot to space.
 +					 */
  					dst[len - 1] = ' ';
  			}

 @@ -228,6 +230,9 @@ int main(int argc, char **argv)
  	int len;
  	uint8_t *encoded;

 +        uint8_t str[6] = { 0x00, 0x00, 0x02, 0x65, 0x65, 0x00 };
 +        printf("NUL:'%s'\n",   dname_dec(str, 6, ""));
 +
  #define DNAME_DEC(encoded,pre) dname_dec((uint8_t*)(encoded), sizeof(encoded), (pre))
  	printf("'%s'\n",       DNAME_DEC("\4host\3com\0", "test1:"));
  	printf("test2:'%s'\n", DNAME_DEC("\4host\3com\0\4host\3com\0", ""));
 --
 2.7.4
	From 3a76bb5136d05f94ee62e377aa723e63444912c7 Mon Sep 17 00:00:00 2001
	From: Denys Vlasenko <vda.linux@googlemail.com>
	Date: Thu, 10 Mar 2016 11:47:58 +0100
	Subject: [PATCH] udhcp: fix a SEGV on malformed RFC1035-encoded domain name

	Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
	Signed-off-by: Mike Frysinger <vapier@gentoo.org>
	(cherry picked from commit d474ffc68290e0a83651c4432eeabfa62cd51e87)
	Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar>
	---
	networking/udhcp/domain_codec.c \| 13 +++++++++----
	1 file changed, 9 insertions(+), 4 deletions(-)

	diff --git a/networking/udhcp/domain_codec.c b/networking/udhcp/domain_codec.c
	index c1325d8..8429367 100644
	--- a/networking/udhcp/domain_codec.c
	+++ b/networking/udhcp/domain_codec.c
	@@ -63,11 +63,10 @@ char* FAST_FUNC dname_dec(const uint8_t cstr, int clen, const char pre)
	if (crtpos + c + 1 > clen) / label too long? abort */
	return NULL;
	if (dst)
	- memcpy(dst + len, c + 1, *c);
	+ /* \3com ---> "com." */
	+ ((char)mempcpy(dst + len, c + 1, c))[0] = '.';
	len += *c + 1;
	crtpos += *c + 1;
	- if (dst)
	- dst[len - 1] = '.';
	} else {
	/* NUL: end of current domain name */
	if (retpos == 0) {
	@@ -78,7 +77,10 @@ char* FAST_FUNC dname_dec(const uint8_t cstr, int clen, const char pre)
	crtpos = retpos;
	retpos = depth = 0;
	}
	- if (dst)
	+ if (dst && len != 0)
	+ /* \4host\3com\0\4host and we are at \0:
	+ * \3com was converted to "com.", change dot to space.
	+ */
	dst[len - 1] = ' ';
	}

	@@ -228,6 +230,9 @@ int main(int argc, char **argv)
	int len;
	uint8_t *encoded;

	+ uint8_t str[6] = { 0x00, 0x00, 0x02, 0x65, 0x65, 0x00 };
	+ printf("NUL:'%s'\n", dname_dec(str, 6, ""));
	+
	#define DNAME_DEC(encoded,pre) dname_dec((uint8_t*)(encoded), sizeof(encoded), (pre))
	printf("'%s'\n", DNAME_DEC("\4host\3com\0", "test1:"));
	printf("test2:'%s'\n", DNAME_DEC("\4host\3com\0\4host\3com\0", ""));
	--
	2.7.4