CVE-2017-9445: Out-of-bounds write in systemd-resolved with crafted TCP payload

[Chris Coulson <chris.coulson () canonical com>]

Hi,

I recently discovered an out-of-bounds write in systemd-resolved in
Ubuntu, which is possible to trigger with a specially crafted TCP payload.

Details from the Ubuntu bug follow:
https://launchpad.net/bugs/1695546

----
Certain sizes passed to dns_packet_new can cause it to allocate a buffer
that's too small. A page-aligned number - sizeof(DnsPacket) +
sizeof(iphdr) + sizeof(udphdr) will do this - so, on x86 this will be a
page-aligned number - 80. Eg, calling dns_packet_new with a size of 4016
on x86 will result in an allocation of 4096 bytes, but 108 bytes of this
are for the DnsPacket struct.

A malicious DNS server can exploit this by responding with a specially
crafted TCP payload to trick systemd-resolved in to allocating a buffer
that's too small, and subsequently write arbitrary data beyond the end
of it.

I believe this was introduced by
https://github.com/systemd/systemd/commit/a0166609f782da91710dea9183d1bf138538db37
(v223) and affects all subsequent versions up to and including v233.
----

A patch to resolve this has been provided by Zbigniew
Jędrzejewski-Szmek, along with an additional patch to implement a test.
Both of these are attached.

Many thanks,
Chris

Attachment: 0001-test-resolved-packet-add-a-simple-test-for-our-alloc.patch
Description:

Attachment: 0002-resolved-simplify-alloc-size-calculation.patch
Description:

Attachment: signature.asc
Description: OpenPGP digital signature