From a682942dd59a54e957df32e981c8fb104555de43 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?=E8=83=A1=E4=B9=89=E8=87=BB?= <huyizhen2024@163.com>
Date: Mon, 16 Dec 2024 21:09:23 +0800
Subject: [PATCH] Fix out-of-bounds heap read in order_qsort(). Fix buffer
 overflow when configured lease-change script name

(cherry picked from commit b580ae493fc991eab96d764efa6818568be9a47c)
---
 ...low-when-configured-lease-change-scr.patch | 32 +++++++++++++++++
 ...t-of-bounds-heap-read-in-order_qsort.patch | 35 +++++++++++++++++++
 dnsmasq.spec                                  | 10 +++++-
 3 files changed, 76 insertions(+), 1 deletion(-)
 create mode 100644 backport-Fix-buffer-overflow-when-configured-lease-change-scr.patch
 create mode 100644 backport-Fix-out-of-bounds-heap-read-in-order_qsort.patch

diff --git a/backport-Fix-buffer-overflow-when-configured-lease-change-scr.patch b/backport-Fix-buffer-overflow-when-configured-lease-change-scr.patch
new file mode 100644
index 0000000..06089ec
--- /dev/null
+++ b/backport-Fix-buffer-overflow-when-configured-lease-change-scr.patch
@@ -0,0 +1,32 @@
+From ae85ea38581e97445622d2dad79cd09775cb201a Mon Sep 17 00:00:00 2001
+From: Simon Kelley <simon@thekelleys.org.uk>
+Date: Thu, 21 Nov 2024 15:42:49 +0000
+Subject: [PATCH] Fix buffer overflow when configured lease-change script name
+ is too long.
+ 
+Thanks to Daniel Rhea for finding this one.
+ 
+Reference:https://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=patch;h=ae85ea38581e97445622d2dad79cd09775cb201a
+Conflict:NA
+---
+ src/lease.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+ 
+diff --git a/src/lease.c b/src/lease.c
+index 1a9f1c6..a944fbb 100644
+--- a/src/lease.c
++++ b/src/lease.c
+@@ -155,6 +155,10 @@ void lease_init(time_t now)
+ #ifdef HAVE_SCRIPT
+       if (daemon->lease_change_command)
+ 	{
++	  /* 6 == strlen(" init") plus terminator */
++	  if (strlen(daemon->lease_change_command) + 6 > DHCP_BUFF_SZ)
++	    die(_("lease-change script name is too long"), NULL, EC_FILE);
++	  
+ 	  strcpy(daemon->dhcp_buff, daemon->lease_change_command);
+ 	  strcat(daemon->dhcp_buff, " init");
+ 	  leasestream = popen(daemon->dhcp_buff, "r");
+-- 
+2.33.0
+ 
diff --git a/backport-Fix-out-of-bounds-heap-read-in-order_qsort.patch b/backport-Fix-out-of-bounds-heap-read-in-order_qsort.patch
new file mode 100644
index 0000000..c74de9c
--- /dev/null
+++ b/backport-Fix-out-of-bounds-heap-read-in-order_qsort.patch
@@ -0,0 +1,35 @@
+From b087cf4a6c3dd4c323a099770a44c24812381bf4 Mon Sep 17 00:00:00 2001
+From: Simon Kelley <simon@thekelleys.org.uk>
+Date: Thu, 21 Nov 2024 15:28:31 +0000
+Subject: [PATCH] Fix out-of-bounds heap read in order_qsort().
+ 
+We only need to order two server records on the ->serial field.
+Literal address records are smaller and don't have
+this field and don't need to be ordered on it.
+To actually provoke this bug seems to need the same server-literal
+to be repeated twice, eg --address=/a/1.1.1.1 --address-/a/1.1.1.1
+which is clearly rare in the wild, but if it did exist it could
+provoke a SIGSEV. Thanks to Daniel Rhea for fuzzing this one.
+ 
+Reference:https://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=patch;h=b087cf4a6c3dd4c323a099770a44c24812381bf4
+Conflict:NA
+---
+ src/domain-match.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+ 
+diff --git a/src/domain-match.c b/src/domain-match.c
+index e0f4313..d79967f 100644
+--- a/src/domain-match.c
++++ b/src/domain-match.c
+@@ -540,7 +540,7 @@ static int order_qsort(const void *a, const void *b)
+ 
+   /* Finally, order by appearance in /etc/resolv.conf etc, for --strict-order */
+   if (rc == 0)
+-    if (!(s1->flags & SERV_LITERAL_ADDRESS))
++    if (!(s1->flags & SERV_IS_LOCAL) && !(s2->flags & SERV_IS_LOCAL))
+       rc = s1->serial - s2->serial;
+ 
+   return rc;
+-- 
+2.33.0
+ 
diff --git a/dnsmasq.spec b/dnsmasq.spec
index 4cd616f..2265825 100644
--- a/dnsmasq.spec
+++ b/dnsmasq.spec
@@ -1,6 +1,6 @@
 Name:           dnsmasq
 Version:        2.90
-Release:        2
+Release:        3
 Summary:        Dnsmasq provides network infrastructure for small networks
 License:        GPLv2 or GPLv3
 URL:            http://www.thekelleys.org.uk/dnsmasq/
@@ -16,6 +16,8 @@ Patch5:         backport-Fix-error-introduced-in-51471cafa5a4fa44d6fe49.patch
 Patch6:         bugfix-allow-binding-mac-with-ipv6.patch
 Patch7:         bugfix-deal-with-CONFRIM-when-binding-mac-with-ipv6.patch
 Patch8:         backport-Fix-crash-when-reloading-DHCP-config-on-SIGHUP.patch
+Patch9:         backport-Fix-out-of-bounds-heap-read-in-order_qsort.patch
+Patch10:        backport-Fix-buffer-overflow-when-configured-lease-change-scr.patch
 
 BuildRequires:  gcc
 BuildRequires:  dbus-devel pkgconfig libidn2-devel nettle-devel systemd
@@ -105,6 +107,12 @@ install -Dpm644 %{SOURCE2} $RPM_BUILD_ROOT%{_sysusersdir}/dnsmasq.conf
 %{_mandir}/man8/dnsmasq*
 
 %changelog
+* Thu Dec 12 2024 huyizhen <huyizhen2@huawei.com> - 2.90-3
+- Type:bugfix
+- CVE:
+- SUG:NA
+- DESC:backport upstream patches
+
 * Sat Oct 12 2024 huyizhen <huyizhen2@huawei.com> - 2.90-2
 - Type:bugfix
 - CVE:
-- 
Gitee