mirrors/meta-openembedded
1
0
Fork 0
mirror of https://github.com/openembedded/meta-openembedded.git synced 2026-06-01 13:40:04 +00:00
Code Issues Projects Releases Wiki Activity

dnsmasq: fix CVE-2026-4891

Browse Source 
A heap-based out-of-bounds read vulnerability in the
DNSSEC validation of dnsmasq allows remote attackers
to cause a denial of service via a crafted DNS packet.

Reference:
[ https://nvd.nist.gov/vuln/detail/CVE-2026-4891 ]

Signed-off-by: Abhishek Bachiphale <Abhishek.Bachiphale@windriver.com>
Signed-off-by: Khem Raj <khem.raj@oss.qualcomm.com>
This commit is contained in:
Abhishek Bachiphale
2026-05-18 22:43:33 +05:30
committed by Khem Raj
parent 78162615f5
commit a9de48a9fa
2 changed files with 41 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
meta-networking/recipes-support/dnsmasq/dnsmasq_2.92.bb
+1
View File
@@ -17,6 +17,7 @@ SRC_URI = "http://www.thekelleys.org.uk/dnsmasq/${@['archive/', ''][float(d.getV
file://dnsmasq-resolved.conf \ file://dnsmasq-resolved.conf \
file://CVE-2026-2291.patch \ file://CVE-2026-2291.patch \
file://CVE-2026-4890.patch \ file://CVE-2026-4890.patch \
file://CVE-2026-4891.patch \
" "
SRC_URI[sha256sum] = "fd908e79ff37f73234afcb6d3363f78353e768703d92abd8e3220ade6819b1e1" SRC_URI[sha256sum] = "fd908e79ff37f73234afcb6d3363f78353e768703d92abd8e3220ade6819b1e1"
meta-networking/recipes-support/dnsmasq/files/CVE-2026-4891.patch
+40
View File
@@ -0,0 +1,40 @@
commit 2cacea42e4d45717bd0ce3ccfe8e78960245e5da
Author: Simon Kelley <simon@thekelleys.org.uk>
Date: Wed Mar 25 23:04:08 2026 +0000
Verify rdlen field in RRSIG packets. CVE-2026-4891
Bug report from Royce M <royce@xchglabs.com>
This avoids crafted packets which give a value for rdlen _less_
then the space taken up by the fixed data and the signer's name
and engender a negative calculated length for the signature.
CVE: CVE-2026-4891
Upstream-Status: Backport [ https://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=commit;h=788b4e0f6c05217981b512bed4e5fea6f8855d01 ]
Signed-off-by: Abhishek Bachiphale <Abhishek.Bachiphale@windriver.com>
diff --git a/src/dnssec.c b/src/dnssec.c
index 0860daa..4bb0495 100644
--- a/src/dnssec.c
+++ b/src/dnssec.c
@@ -546,10 +546,14 @@ static int validate_rrset(time_t now, struct dns_header *header, size_t plen, in
*ttl_out = ttl;
}
-
+
+ /* Don't trust rdlen not to be too small and give us a negative sig_len
+ It has already been checked that it doesn't run us off the end
+ of the packet. */
+ if ((sig_len = rdlen - (p - psav)) <= 0)
+ return STAT_BOGUS;
+
sig = p;
- sig_len = rdlen - (p - psav);
-
nsigttl = htonl(orig_ttl);
hash->update(ctx, 18, psav);