|
| 1 | +From d37c38288c0bc98af40fd606c116744baaa1574c Mon Sep 17 00:00:00 2001 |
| 2 | +From: Simon Kelley <simon@thekelleys.org.uk> |
| 3 | +Date: Fri, 22 May 2026 04:57:41 +0000 |
| 4 | +Subject: [PATCH 6/6] CVE-2026-5172 |
| 5 | + |
| 6 | + Fix buffer overflow vulnerability in extract_addresses() CVE-2026-5172 |
| 7 | + |
| 8 | + Thanks to Hugo Martinez Ray for spotting this. |
| 9 | + |
| 10 | + The value of rdlen for an RR can be a lie, allowing the |
| 11 | + call to extract_name() at rfc1025.c:952 to advance the value of p1 |
| 12 | + past the calculated end of the record. This makes the calculation |
| 13 | + of bytes remaining in the RR underflow to a huge number and results |
| 14 | + in a massive heap OOB read and certain crash. |
| 15 | + |
| 16 | +Upstream Patch Reference: https://thekelleys.org.uk/dnsmasq/CVE/CVE-2026-5172.diff |
| 17 | +--- |
| 18 | + src/rfc1035.c | 3 ++- |
| 19 | + 1 file changed, 2 insertions(+), 1 deletion(-) |
| 20 | + |
| 21 | +diff --git a/src/rfc1035.c b/src/rfc1035.c |
| 22 | +index f0e1082..7e05fb5 100644 |
| 23 | +--- a/src/rfc1035.c |
| 24 | ++++ b/src/rfc1035.c |
| 25 | +@@ -943,7 +943,8 @@ int extract_addresses(struct dns_header *header, size_t qlen, char *name, time_t |
| 26 | + /* Name, extract it then re-encode. */ |
| 27 | + int len; |
| 28 | + |
| 29 | +- if (!extract_name(header, qlen, &p1, name, EXTR_NAME_EXTRACT, 0)) |
| 30 | ++ /* rdlen may lie, and extract_name() advances p1 past where it says the record ends. */ |
| 31 | ++ if (!extract_name(header, qlen, &p1, name, EXTR_NAME_EXTRACT, 0) || (p1 > endrr)) |
| 32 | + { |
| 33 | + blockdata_free(addr.rrblock.rrdata); |
| 34 | + return 2; |
| 35 | +-- |
| 36 | +2.45.4 |
| 37 | + |
0 commit comments