Security fix, CVE-2017-14496, Integer underflow in DNS response creation.

Fix DoS in DNS. Invalid boundary checks in the
add_pseudoheader function allows a memcpy call with negative
size An attacker which can send malicious DNS queries
to dnsmasq can trigger a DoS remotely.
dnsmasq is vulnerable only if one of the following option is
specified: --add-mac, --add-cpe-id or --add-subnet.

http://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=commit;h=897c113fda0886a28a986cc6ba17bb93bd6cb1c7

Change-Id: I4171560a179639755a115abfc381f03aa54f3bab
Signed-off-by: Seonah Moon <seonah1.moon@samsung.com>

diff --git a/src/rfc1035.c b/src/rfc1035.c
index 26a2254..de009d0 100644 (file)
--- a/src/rfc1035.c
+++ b/src/rfc1035.c
@@ -564,8 +564,12 @@ static size_t add_pseudoheader(struct dns_header *header, size_t plen, unsigned
   
   if (optno != 0)
     {
+      if (p + 4 > limit)
+        return plen; /* Too big */
       PUTSHORT(optno, p);
       PUTSHORT(optlen, p);
+      if (p + optlen > limit)
+        return plen; /* Too big */
       memcpy(p, opt, optlen);
       p += optlen;  
     }