From f3c63e7ccf92cb5050a535efc5be2333a53c09c0 Mon Sep 17 00:00:00 2001
From: Daniel Stenberg <daniel@haxx.se>
Date: Fri, 23 Sep 2016 14:44:11 +0200
Subject: [PATCH 1/3] deps: avoid single-byte buffer overwrite
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Incorrect string length calculation when passing escaped dot.

- CVE: CVE-2016-5180
- Upstream bug: https://c-ares.haxx.se/adv_20160929.html

Ref: https://github.com/nodejs/node/pull/9037
PR-URL: https://github.com/nodejs/node/pull/8849
Reviewed-By: Myles Borins <myles.borins@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Johan Bergström <bugs@bergstroem.nu>
Reviewed-By: Fedor Indutny <fedor.indutny@gmail.com>
---
 deps/cares/src/ares_create_query.c | 84 ++++++++++++++----------------
 1 file changed, 39 insertions(+), 45 deletions(-)

diff --git a/deps/cares/src/ares_create_query.c b/deps/cares/src/ares_create_query.c
index 8624e2f589bbb3..abae64a0462c82 100644
--- a/deps/cares/src/ares_create_query.c
+++ b/deps/cares/src/ares_create_query.c
@@ -85,57 +85,31 @@
  */
 
 int ares_create_query(const char *name, int dnsclass, int type,
-                      unsigned short id, int rd, unsigned char **buf,
-                      int *buflen, int max_udp_size)
+                      unsigned short id, int rd, unsigned char **bufp,
+                      int *buflenp, int max_udp_size)
 {
-  int len;
+  size_t len;
   unsigned char *q;
   const char *p;
+  size_t buflen;
+  unsigned char *buf;
 
   /* Set our results early, in case we bail out early with an error. */
-  *buflen = 0;
-  *buf = NULL;
+  *buflenp = 0;
+  *bufp = NULL;
 
-  /* Compute the length of the encoded name so we can check buflen.
-   * Start counting at 1 for the zero-length label at the end. */
-  len = 1;
-  for (p = name; *p; p++)
-    {
-      if (*p == '\\' && *(p + 1) != 0)
-        p++;
-      len++;
-    }
-  /* If there are n periods in the name, there are n + 1 labels, and
-   * thus n + 1 length fields, unless the name is empty or ends with a
-   * period.  So add 1 unless name is empty or ends with a period.
+  /* Allocate a memory area for the maximum size this packet might need. +2
+   * is for the length byte and zero termination if no dots or ecscaping is
+   * used.
    */
-  if (*name && *(p - 1) != '.')
-    len++;
-
-  /* Immediately reject names that are longer than the maximum of 255
-   * bytes that's specified in RFC 1035 ("To simplify implementations,
-   * the total length of a domain name (i.e., label octets and label
-   * length octets) is restricted to 255 octets or less."). We aren't
-   * doing this just to be a stickler about RFCs. For names that are
-   * too long, 'dnscache' closes its TCP connection to us immediately
-   * (when using TCP) and ignores the request when using UDP, and
-   * BIND's named returns ServFail (TCP or UDP). Sending a request
-   * that we know will cause 'dnscache' to close the TCP connection is
-   * painful, since that makes any other outstanding requests on that
-   * connection fail. And sending a UDP request that we know
-   * 'dnscache' will ignore is bad because resources will be tied up
-   * until we time-out the request.
-   */
-  if (len > MAXCDNAME)
-    return ARES_EBADNAME;
-
-  *buflen = len + HFIXEDSZ + QFIXEDSZ + (max_udp_size ? EDNSFIXEDSZ : 0);
-  *buf = malloc(*buflen);
-  if (!*buf)
-      return ARES_ENOMEM;
+  len = strlen(name) + 2 + HFIXEDSZ + QFIXEDSZ +
+    (max_udp_size ? EDNSFIXEDSZ : 0);
+  buf = malloc(len);
+  if (!buf)
+    return ARES_ENOMEM;
 
   /* Set up the header. */
-  q = *buf;
+  q = buf;
   memset(q, 0, HFIXEDSZ);
   DNS_HEADER_SET_QID(q, id);
   DNS_HEADER_SET_OPCODE(q, QUERY);
@@ -159,8 +133,10 @@ int ares_create_query(const char *name, int dnsclass, int type,
   q += HFIXEDSZ;
   while (*name)
     {
-      if (*name == '.')
+      if (*name == '.') {
+        free (buf);
         return ARES_EBADNAME;
+      }
 
       /* Count the number of bytes in this label. */
       len = 0;
@@ -170,8 +146,10 @@ int ares_create_query(const char *name, int dnsclass, int type,
             p++;
           len++;
         }
-      if (len > MAXLABEL)
+      if (len > MAXLABEL) {
+        free (buf);
         return ARES_EBADNAME;
+      }
 
       /* Encode the length and copy the data. */
       *q++ = (unsigned char)len;
@@ -195,14 +173,30 @@ int ares_create_query(const char *name, int dnsclass, int type,
   DNS_QUESTION_SET_TYPE(q, type);
   DNS_QUESTION_SET_CLASS(q, dnsclass);
 
+  q += QFIXEDSZ;
   if (max_udp_size)
   {
-      q += QFIXEDSZ;
       memset(q, 0, EDNSFIXEDSZ);
       q++;
       DNS_RR_SET_TYPE(q, T_OPT);
       DNS_RR_SET_CLASS(q, max_udp_size);
+      q += (EDNSFIXEDSZ-1);
+  }
+  buflen = (q - buf);
+
+  /* Reject names that are longer than the maximum of 255 bytes that's
+   * specified in RFC 1035 ("To simplify implementations, the total length of
+   * a domain name (i.e., label octets and label length octets) is restricted
+   * to 255 octets or less."). */
+  if (buflen > (MAXCDNAME + HFIXEDSZ + QFIXEDSZ +
+                (max_udp_size ? EDNSFIXEDSZ : 0))) {
+    free (buf);
+    return ARES_EBADNAME;
   }
 
+  /* we know this fits in an int at this point */
+  *buflenp = (int) buflen;
+  *bufp = buf;
+
   return ARES_SUCCESS;
 }

From 5a0daa6c2fdf98700737f3d6c646d2a3233a788e Mon Sep 17 00:00:00 2001
From: Rod Vagg <rod@vagg.org>
Date: Tue, 18 Oct 2016 21:26:39 +1100
Subject: [PATCH 2/3] win,build: try multiple timeservers when signing
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

PR-URL: https://github.com/nodejs/node/pull/9155
Reviewed-By: Johan Bergström <bugs@bergstroem.nu>
Reviewed-By: João Reis <reis@janeasystems.com>
---
 tools/sign.bat | 15 +++++++++++++++
 vcbuild.bat    |  4 ++--
 2 files changed, 17 insertions(+), 2 deletions(-)
 create mode 100644 tools/sign.bat

diff --git a/tools/sign.bat b/tools/sign.bat
new file mode 100644
index 00000000000000..82daaef575f3e8
--- /dev/null
+++ b/tools/sign.bat
@@ -0,0 +1,15 @@
+@echo off
+
+set timeservers=(http://timestamp.globalsign.com/scripts/timestamp.dll http://timestamp.comodoca.com/authenticode http://timestamp.verisign.com/scripts/timestamp.dll http://tsa.starfieldtech.com)
+
+for %%s in %timeservers% do (
+    signtool sign /a /d "Node.js" /du "https://nodejs.org" /t %%s %1
+    if not ERRORLEVEL 1 (
+        echo Successfully signed %1 using timeserver %%s
+        exit /b 0
+    )
+    echo Signing %1 failed using %%s
+)
+
+echo Could not sign %1 using any available timeserver
+exit /b 1
diff --git a/vcbuild.bat b/vcbuild.bat
index b5844c817fe8c7..12221606853232 100644
--- a/vcbuild.bat
+++ b/vcbuild.bat
@@ -204,7 +204,7 @@ if "%target%" == "Clean" goto exit
 @rem Skip signing if the `nosign` option was specified.
 if defined nosign goto licensertf
 
-signtool sign /a /d "Node.js" /du "https://nodejs.org" /t http://timestamp.globalsign.com/scripts/timestamp.dll Release\node.exe
+call tools\sign.bat Release\node.exe
 if errorlevel 1 echo Failed to sign exe&goto exit
 
 :licensertf
@@ -272,7 +272,7 @@ msbuild "%~dp0tools\msvs\msi\nodemsi.sln" /m /t:Clean,Build /p:PlatformToolset=%
 if errorlevel 1 goto exit
 
 if defined nosign goto upload
-signtool sign /a /d "Node.js" /du "https://nodejs.org" /t http://timestamp.globalsign.com/scripts/timestamp.dll node-v%FULLVERSION%-%target_arch%.msi
+call tools\sign.bat node-v%FULLVERSION%-%target_arch%.msi
 if errorlevel 1 echo Failed to sign msi&goto exit
 
 :upload

From b6cbfdd8f8d5418c30af18f67fb25b9fce9cedcc Mon Sep 17 00:00:00 2001
From: Rod Vagg <rod@vagg.org>
Date: Tue, 18 Oct 2016 19:58:58 +1100
Subject: [PATCH 3/3] 2016-10-18, Version 4.6.1 'Argon' (LTS)

This is a security release. All Node.js users should consult the security
release summary at
https://nodejs.org/en/blog/vulnerability/october-2016-security-releases/
for details on patched vulnerabilities.

Notable changes:

* c-ares: fix for single-byte buffer overwrite, CVE-2016-5180, more
  information at https://c-ares.haxx.se/adv_20160929.html (Daniel Stenberg)

PR-URL: https://github.com/nodejs/node/pull/9153
---
 CHANGELOG.md       | 12 ++++++++++++
 src/node_version.h |  2 +-
 2 files changed, 13 insertions(+), 1 deletion(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 79cf6ff83c8216..2d230fd09434e9 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,5 +1,17 @@
 # Node.js ChangeLog
 
+## 2016-10-18, Version 4.6.1 'Argon' (LTS), @rvagg
+
+This is a security release. All Node.js users should consult the security release summary at https://nodejs.org/en/blog/vulnerability/october-2016-security-releases/ for details on patched vulnerabilities.
+
+### Notable Changes
+
+* **c-ares**: fix for single-byte buffer overwrite, CVE-2016-5180, more information at https://c-ares.haxx.se/adv_20160929.html (Daniel Stenberg)
+
+### Commits
+
+* [[`f3c63e7ccf`](https://github.com/nodejs/node/commit/f3c63e7ccf)] - **deps**: avoid single-byte buffer overwrite (Daniel Stenberg) [#8849](https://github.com/nodejs/node/pull/8849)
+
 ## 2016-09-27, Version 4.6.0 'Argon' (LTS), @rvagg
 
 This is a security release. All Node.js users should consult the security release summary at https://nodejs.org/en/blog/vulnerability/september-2016-security-releases/ for details on patched vulnerabilities.
diff --git a/src/node_version.h b/src/node_version.h
index 52f180eebe82a9..8a239e036b81cc 100644
--- a/src/node_version.h
+++ b/src/node_version.h
@@ -8,7 +8,7 @@
 #define NODE_VERSION_IS_LTS 1
 #define NODE_VERSION_LTS_CODENAME "Argon"
 
-#define NODE_VERSION_IS_RELEASE 0
+#define NODE_VERSION_IS_RELEASE 1
 
 #ifndef NODE_STRINGIFY
 #define NODE_STRINGIFY(n) NODE_STRINGIFY_HELPER(n)