diff options
Diffstat (limited to 'yocto-poky/meta/recipes-core/uclibc/uclibc-git/CVE-2016-2224.patch')
-rw-r--r-- | yocto-poky/meta/recipes-core/uclibc/uclibc-git/CVE-2016-2224.patch | 49 |
1 files changed, 49 insertions, 0 deletions
diff --git a/yocto-poky/meta/recipes-core/uclibc/uclibc-git/CVE-2016-2224.patch b/yocto-poky/meta/recipes-core/uclibc/uclibc-git/CVE-2016-2224.patch new file mode 100644 index 000000000..218b60a85 --- /dev/null +++ b/yocto-poky/meta/recipes-core/uclibc/uclibc-git/CVE-2016-2224.patch @@ -0,0 +1,49 @@ +From 16719c1a7078421928e6d31dd1dec574825ef515 Mon Sep 17 00:00:00 2001 +From: Waldemar Brodkorb <wbx@openadk.org> +Date: Sun, 17 Jan 2016 15:47:22 +0100 +Subject: [PATCH] Do not follow compressed items forever. + +It is possible to get stuck in an infinite loop when receiving a +specially crafted DNS reply. Exit the loop after a number of iteration +and consider the packet invalid. + +Signed-off-by: Daniel Fahlgren <daniel@fahlgren.se> +Signed-off-by: Waldemar Brodkorb <wbx@uclibc-ng.org> + +Upstream-status: Backport +http://repo.or.cz/uclibc-ng.git/commit/16719c1a7078421928e6d31dd1dec574825ef515 + +CVE: CVE-2016-2224 +Signed-off-by: Armin Kuster <akuster@mvista.com> + +--- + libc/inet/resolv.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +Index: git/libc/inet/resolv.c +=================================================================== +--- git.orig/libc/inet/resolv.c ++++ git/libc/inet/resolv.c +@@ -666,11 +666,12 @@ int __decode_dotted(const unsigned char + bool measure = 1; + unsigned total = 0; + unsigned used = 0; ++ unsigned maxiter = 256; + + if (!packet) + return -1; + +- while (1) { ++ while (--maxiter) { + if (offset >= packet_len) + return -1; + b = packet[offset++]; +@@ -707,6 +708,8 @@ int __decode_dotted(const unsigned char + else + dest[used++] = '\0'; + } ++ if (!maxiter) ++ return -1; + + /* The null byte must be counted too */ + if (measure) |