From a53328688a239e97b8383ffbfd7b4b4eca108d73 Mon Sep 17 00:00:00 2001
From: Abhishek Bachiphale <Abhishek.Bachiphale@windriver.com>
Date: Mon, 18 May 2026 22:43:31 +0530
Subject: [PATCH] dnsmasq: fix CVE-2026-2291

dnsmasqs extract_name() function can be abused to cause a heap buffer
overflow, allowing an attacker to inject false DNS cache entries,
which could result in DNS lookups to redirect to an attacker-controlled
IP address, or to cause a DoS.

Reference:
[ https://nvd.nist.gov/vuln/detail/CVE-2026-2291 ]

Signed-off-by: Abhishek Bachiphale <Abhishek.Bachiphale@windriver.com>
Signed-off-by: Khem Raj <khem.raj@oss.qualcomm.com>
---
 .../recipes-support/dnsmasq/dnsmasq_2.92.bb   |  1 +
 .../dnsmasq/files/CVE-2026-2291.patch         | 37 +++++++++++++++++++
 2 files changed, 38 insertions(+)
 create mode 100644 meta-networking/recipes-support/dnsmasq/files/CVE-2026-2291.patch

diff --git a/meta-networking/recipes-support/dnsmasq/dnsmasq_2.92.bb b/meta-networking/recipes-support/dnsmasq/dnsmasq_2.92.bb
index 59509ecba2..bef058aa3e 100644
--- a/meta-networking/recipes-support/dnsmasq/dnsmasq_2.92.bb
+++ b/meta-networking/recipes-support/dnsmasq/dnsmasq_2.92.bb
@@ -15,6 +15,7 @@ SRC_URI = "http://www.thekelleys.org.uk/dnsmasq/${@['archive/', ''][float(d.getV
            file://dnsmasq-resolvconf.service \
            file://dnsmasq-noresolvconf.service \
            file://dnsmasq-resolved.conf \
+           file://CVE-2026-2291.patch \
 "
 SRC_URI[sha256sum] = "fd908e79ff37f73234afcb6d3363f78353e768703d92abd8e3220ade6819b1e1"
 
diff --git a/meta-networking/recipes-support/dnsmasq/files/CVE-2026-2291.patch b/meta-networking/recipes-support/dnsmasq/files/CVE-2026-2291.patch
new file mode 100644
index 0000000000..6e42f32136
--- /dev/null
+++ b/meta-networking/recipes-support/dnsmasq/files/CVE-2026-2291.patch
@@ -0,0 +1,37 @@
+commit ec2fbfbbdaa7d7db1c707dce26ce1a37cfe09660
+Author: Simon Kelley <simon@thekelleys.org.uk>
+Date:   Fri Apr 10 16:29:31 2026 +0100
+
+Fix buffer overflow in struct bigname.  CVE-2026-2291
+
+All buffers capable of holding a domain name should be
+at least MAXDNAME*2 + 1 bytes long, where MAXDNAME is the maximum
+size of a domain name. The accounts for the trailing zero and the
+fact that some characters are escaped in the internal representation
+of a domain name in dnsmasq.
+
+The declaration of struct bigname get this wrong, with the effect
+that a remote attacker capable of asking DNS queries or answering DNS
+queries can cause a large OOB write in the heap.
+
+This was first spotted by Andrew S. Fasano.
+
+CVE: CVE-2026-2291
+
+Upstream-Status: Backport [ https://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=commit;h=014e909f787e808bb35daa546d3f8f3663918de2 ] 
+
+Signed-off-by: Abhishek Bachiphale <Abhishek.Bachiphale@windriver.com>
+
+diff --git a/src/dnsmasq.h b/src/dnsmasq.h
+index 254bacd..58be09f 100644
+--- a/src/dnsmasq.h
++++ b/src/dnsmasq.h
+@@ -479,7 +479,7 @@ struct interface_name {
+ };
+
+ union bigname {
+-  char name[MAXDNAME];
++  char name[(2*MAXDNAME) + 1];
+   union bigname *next; /* freelist */
+ };
+