diff -Nru systemd-232/debian/changelog systemd-232/debian/changelog
--- systemd-232/debian/changelog	2017-05-24 15:26:16.000000000 +0000
+++ systemd-232/debian/changelog	2017-06-21 15:33:22.000000000 +0000
@@ -1,3 +1,14 @@
+systemd (232-21ubuntu5) zesty-security; urgency=medium
+
+  * SECURITY UPDATE: Out-of-bounds write in systemd-resolved (LP: #1695546)
+    - debian/patches/test-resolved-packet-add-a-simple-test-for-our-alloc.patch:
+      Add a simple allocation test
+    - debian/patches/resolved-simplify-alloc-size-calculation.patch: Simply
+      allocation size calculation
+    - CVE-2017-9445
+
+ -- Chris Coulson <chris.coulson@canonical.com>  Wed, 21 Jun 2017 16:33:22 +0100
+
 systemd (232-21ubuntu4) zesty; urgency=medium
 
   * Cherrypick upstream commit to enable system use kernel maximum limit for
diff -Nru systemd-232/debian/patches/resolved-simplify-alloc-size-calculation.patch systemd-232/debian/patches/resolved-simplify-alloc-size-calculation.patch
--- systemd-232/debian/patches/resolved-simplify-alloc-size-calculation.patch	1970-01-01 00:00:00.000000000 +0000
+++ systemd-232/debian/patches/resolved-simplify-alloc-size-calculation.patch	2017-06-21 15:32:56.000000000 +0000
@@ -0,0 +1,49 @@
+From 8587c3351003b1613ad2e439cebbb20fbae07e70 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= <zbyszek@in.waw.pl>
+Date: Sun, 18 Jun 2017 16:07:57 -0400
+Subject: [PATCH 2/2] resolved: simplify alloc size calculation
+
+The allocation size was calculated in a complicated way, and for values
+close to the page size we would actually allocate less than requested.
+
+Reported by Chris Coulson <chris.coulson@canonical.com>.
+---
+ src/resolve/resolved-dns-packet.c | 8 +-------
+ src/resolve/resolved-dns-packet.h | 2 --
+ 2 files changed, 1 insertion(+), 9 deletions(-)
+
+diff --git a/src/resolve/resolved-dns-packet.c b/src/resolve/resolved-dns-packet.c
+index 240ee448f4..821b66e266 100644
+--- a/src/resolve/resolved-dns-packet.c
++++ b/src/resolve/resolved-dns-packet.c
+@@ -47,13 +47,7 @@ int dns_packet_new(DnsPacket **ret, DnsProtocol protocol, size_t mtu) {
+ 
+         assert(ret);
+ 
+-        if (mtu <= UDP_PACKET_HEADER_SIZE)
+-                a = DNS_PACKET_SIZE_START;
+-        else
+-                a = mtu - UDP_PACKET_HEADER_SIZE;
+-
+-        if (a < DNS_PACKET_HEADER_SIZE)
+-                a = DNS_PACKET_HEADER_SIZE;
++        a = MAX(mtu, DNS_PACKET_HEADER_SIZE);
+ 
+         /* round up to next page size */
+         a = PAGE_ALIGN(ALIGN(sizeof(DnsPacket)) + a) - ALIGN(sizeof(DnsPacket));
+diff --git a/src/resolve/resolved-dns-packet.h b/src/resolve/resolved-dns-packet.h
+index 2c92392e4d..3abcaf8cf3 100644
+--- a/src/resolve/resolved-dns-packet.h
++++ b/src/resolve/resolved-dns-packet.h
+@@ -66,8 +66,6 @@ struct DnsPacketHeader {
+ /* With EDNS0 we can use larger packets, default to 4096, which is what is commonly used */
+ #define DNS_PACKET_UNICAST_SIZE_LARGE_MAX 4096
+ 
+-#define DNS_PACKET_SIZE_START 512
+-
+ struct DnsPacket {
+         int n_ref;
+         DnsProtocol protocol;
+-- 
+2.13.0
+
diff -Nru systemd-232/debian/patches/series systemd-232/debian/patches/series
--- systemd-232/debian/patches/series	2017-05-24 15:24:44.000000000 +0000
+++ systemd-232/debian/patches/series	2017-06-21 15:33:14.000000000 +0000
@@ -90,3 +90,5 @@
 debian/Let-graphical-session-pre.target-be-manually-started.patch
 debian/Add-env-variable-for-machine-ID-path.patch
 cryptsetup-generator-run-cryptsetup-service-before-swap-u.patch
+test-resolved-packet-add-a-simple-test-for-our-alloc.patch
+resolved-simplify-alloc-size-calculation.patch
diff -Nru systemd-232/debian/patches/test-resolved-packet-add-a-simple-test-for-our-alloc.patch systemd-232/debian/patches/test-resolved-packet-add-a-simple-test-for-our-alloc.patch
--- systemd-232/debian/patches/test-resolved-packet-add-a-simple-test-for-our-alloc.patch	1970-01-01 00:00:00.000000000 +0000
+++ systemd-232/debian/patches/test-resolved-packet-add-a-simple-test-for-our-alloc.patch	2017-06-21 15:32:50.000000000 +0000
@@ -0,0 +1,112 @@
+From c67ed7b00f62b3ea6f9476b491fd5db590d04cf4 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= <zbyszek@in.waw.pl>
+Date: Sun, 18 Jun 2017 15:53:15 -0400
+Subject: [PATCH 1/2] test-resolved-packet: add a simple test for our
+ allocation functions
+
+---
+ .gitignore                         |  1 +
+ Makefile.am                        | 14 ++++++++++++
+ src/resolve/meson.build            |  9 ++++++++
+ src/resolve/test-resolved-packet.c | 45 ++++++++++++++++++++++++++++++++++++++
+ 4 files changed, 69 insertions(+)
+ create mode 100644 src/resolve/test-resolved-packet.c
+
+diff --git a/.gitignore b/.gitignore
+index 60eda2b8ce..bc47db6481 100644
+--- a/.gitignore
++++ b/.gitignore
+@@ -271,6 +271,7 @@
+ /test-replace-var
+ /test-resolve
+ /test-resolve-tables
++/test-resolved-packet
+ /test-ring
+ /test-rlimit-util
+ /test-sched-prio
+diff --git a/Makefile.am b/Makefile.am
+index 3b9ed874e5..59899c65cc 100644
+--- a/Makefile.am
++++ b/Makefile.am
+@@ -5748,6 +5748,7 @@ dist_zshcompletion_data += \
+ tests += \
+ 	test-dns-packet \
+ 	test-resolve-tables \
++	test-resolved-packet \
+ 	test-dnssec
+
+ manual_tests += \
+@@ -5769,6 +5770,19 @@ test_resolve_tables_LDADD = \
+ 	$(GCRYPT_LIBS) \
+ 	-lm
+
++test_resolved_packet_SOURCES = \
++	src/resolve/test-resolved-packet.c \
++	$(basic_dns_sources)
++
++test_resolved_packet_CFLAGS = \
++	$(AM_CFLAGS) \
++	$(GCRYPT_CFLAGS)
++
++test_resolved_packet_LDADD = \
++	libsystemd-shared.la \
++	$(GCRYPT_LIBS) \
++	-lm
++
+ test_dns_packet_SOURCES = \
+ 	src/resolve/test-dns-packet.c \
+ 	$(basic_dns_sources)
+diff --git a/src/resolve/test-resolved-packet.c b/src/resolve/test-resolved-packet.c
+new file mode 100644
+index 0000000000..8b7da1408d
+--- /dev/null
++++ b/src/resolve/test-resolved-packet.c
+@@ -0,0 +1,45 @@
++/***
++  This file is part of systemd
++
++  Copyright 2017 Zbigniew Jędrzejewski-Szmek
++
++  systemd is free software; you can redistribute it and/or modify it
++  under the terms of the GNU Lesser General Public License as published by
++  the Free Software Foundation; either version 2.1 of the License, or
++  (at your option) any later version.
++
++  systemd is distributed in the hope that it will be useful, but
++  WITHOUT ANY WARRANTY; without even the implied warranty of
++  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
++  Lesser General Public License for more details.
++
++  You should have received a copy of the GNU Lesser General Public License
++  along with systemd; If not, see <http://www.gnu.org/licenses/>.
++***/
++
++#include "log.h"
++#include "resolved-dns-packet.h"
++
++static void test_dns_packet_new(void) {
++        size_t i;
++
++        for (i = 0; i < DNS_PACKET_SIZE_MAX + 2; i++) {
++                _cleanup_(dns_packet_unrefp) DnsPacket *p = NULL;
++
++                assert_se(dns_packet_new(&p, DNS_PROTOCOL_DNS, i) == 0);
++
++                log_debug("dns_packet_new: %zu → %zu", i, p->allocated);
++                assert_se(p->allocated >= MIN(DNS_PACKET_SIZE_MAX, i));
++        }
++}
++
++int main(int argc, char **argv) {
++
++        log_set_max_level(LOG_DEBUG);
++        log_parse_environment();
++        log_open();
++
++        test_dns_packet_new();
++
++        return 0;
++}
+--
+2.13.0
+