[src/netbsd-7]: src/external/bsd/dhcpcd/dist Apply patch, requested by roy in...

[martin <martin%NetBSD.org@localhost>]

details:   https://anonhg.NetBSD.org/src/rev/1a5324bdf27b
branches:  netbsd-7
changeset: 450828:1a5324bdf27b
user:      martin <martin%NetBSD.org@localhost>
date:      Fri Apr 26 19:47:23 2019 +0000

description:
Apply patch, requested by roy in ticket #1690:

        external/bsd/dhcpcd/dist/configure
        external/bsd/dhcpcd/dist/src/auth.c
        external/bsd/dhcpcd/dist/src/dhcp.c
        external/bsd/dhcpcd/dist/src/dhcp6.c
        external/bsd/dhcpcd/dist/compat/consttime_memequal.h

Security fixes for dhcpcd:
Fix a potential buffer overflow reading NA/TA addresses.
Fix a potential 1 byte read overflow with DHO_OPTSOVERLOADED.
Use consttime_memequal(3) to compare hashes.

diffstat:

 external/bsd/dhcpcd/dist/compat/consttime_memequal.h |  28 ++++++++++++++++++++
 external/bsd/dhcpcd/dist/configure                   |  22 +++++++++++++++
 external/bsd/dhcpcd/dist/src/auth.c                  |   2 +-
 external/bsd/dhcpcd/dist/src/dhcp.c                  |  10 ++++--
 external/bsd/dhcpcd/dist/src/dhcp6.c                 |   4 +-
 5 files changed, 59 insertions(+), 7 deletions(-)

diffs (128 lines):

diff -r 6acc6151f301 -r 1a5324bdf27b external/bsd/dhcpcd/dist/compat/consttime_memequal.h
--- /dev/null   Thu Jan 01 00:00:00 1970 +0000
+++ b/external/bsd/dhcpcd/dist/compat/consttime_memequal.h      Fri Apr 26 19:47:23 2019 +0000
@@ -0,0 +1,28 @@
+/*
+ * Written by Matthias Drochner <drochner%NetBSD.org@localhost>.
+ * Public domain.
+ */
+
+#ifndef CONSTTIME_MEMEQUAL_H
+#define CONSTTIME_MEMEQUAL_H
+inline static int
+consttime_memequal(const void *b1, const void *b2, size_t len)
+{
+       const unsigned char *c1 = b1, *c2 = b2;
+       unsigned int res = 0;
+
+       while (len--)
+               res |= *c1++ ^ *c2++;
+
+       /*
+        * Map 0 to 1 and [1, 256) to 0 using only constant-time
+        * arithmetic.
+        *
+        * This is not simply `!res' because although many CPUs support
+        * branchless conditional moves and many compilers will take
+        * advantage of them, certain compilers generate branches on
+        * certain CPUs for `!res'.
+        */
+       return (1 & ((res - 1) >> 8));
+}
+#endif /* CONSTTIME_MEMEQUAL_H */
diff -r 6acc6151f301 -r 1a5324bdf27b external/bsd/dhcpcd/dist/configure
--- a/external/bsd/dhcpcd/dist/configure        Fri Apr 19 16:02:01 2019 +0000
+++ b/external/bsd/dhcpcd/dist/configure        Fri Apr 26 19:47:23 2019 +0000
@@ -13,6 +13,7 @@
 INET6=
 ARC4RANDOM=
 CLOSEFROM=
+CONSTTIME_MEMEQUAL=
 STRLCPY=
 UDEV=
 OS=
@@ -845,6 +846,27 @@
        echo "#include                  \"compat/strtoi.h\"" >>$CONFIG_H
 fi
 
+if [ -z "$CONSTTIME_MEMEQUAL" ]; then
+       printf "Testing for consttime_memequal ... "
+       cat <<EOF >_consttime_memequal.c
+#include <string.h>
+int main(void) {
+       return consttime_memequal("deadbeef", "deadbeef", 8);
+}
+EOF
+       if $XCC _consttime_memequal.c -o _consttime_memequal 2>&3; then
+               CONSTTIME_MEMEQUAL=yes
+       else
+               CONSTTIME_MEMEQUAL=no
+       fi
+       echo "$CONSTTIME_MEMEQUAL"
+       rm -f _consttime_memequal.c _consttime_memequal
+fi
+if [ "$CONSTTIME_MEMEQUAL" = no ]; then
+       echo "#include                  \"compat/consttime_memequal.h\"" \
+           >>$CONFIG_H
+fi
+
 if [ -z "$DPRINTF" ]; then
        printf "Testing for dprintf ... "
        cat <<EOF >_dprintf.c
diff -r 6acc6151f301 -r 1a5324bdf27b external/bsd/dhcpcd/dist/src/auth.c
--- a/external/bsd/dhcpcd/dist/src/auth.c       Fri Apr 19 16:02:01 2019 +0000
+++ b/external/bsd/dhcpcd/dist/src/auth.c       Fri Apr 26 19:47:23 2019 +0000
@@ -354,7 +354,7 @@
        }
 
        free(mm);
-       if (memcmp(d, &hmac_code, dlen)) {
+       if (!consttime_memequal(d, &hmac_code, dlen)) {
                errno = EPERM;
                return NULL;
        }
diff -r 6acc6151f301 -r 1a5324bdf27b external/bsd/dhcpcd/dist/src/dhcp.c
--- a/external/bsd/dhcpcd/dist/src/dhcp.c       Fri Apr 19 16:02:01 2019 +0000
+++ b/external/bsd/dhcpcd/dist/src/dhcp.c       Fri Apr 26 19:47:23 2019 +0000
@@ -212,6 +212,12 @@
                }
                l = *p++;
 
+               /* Check we can read the option data, if present */
+               if (p + l > e) {
+                       errno = EINVAL;
+                       return NULL;
+               }
+
                if (o == DHO_OPTSOVERLOADED) {
                        /* Ensure we only get this option once by setting
                         * the last bit as well as the value.
@@ -246,10 +252,6 @@
                                bp += ol;
                        }
                        ol = l;
-                       if (p + ol >= e) {
-                               errno = EINVAL;
-                               return NULL;
-                       }
                        op = p;
                        bl += ol;
                }
diff -r 6acc6151f301 -r 1a5324bdf27b external/bsd/dhcpcd/dist/src/dhcp6.c
--- a/external/bsd/dhcpcd/dist/src/dhcp6.c      Fri Apr 19 16:02:01 2019 +0000
+++ b/external/bsd/dhcpcd/dist/src/dhcp6.c      Fri Apr 26 19:47:23 2019 +0000
@@ -2015,12 +2015,12 @@
                nd = o + ol;
                l -= (size_t)(nd - d);
                d = nd;
-               if (ol < 24) {
+               if (ol < sizeof(ia)) {
                        errno = EINVAL;
                        logerrx("%s: IA Address option truncated", ifp->name);
                        continue;
                }
-               memcpy(&ia, o, ol);
+               memcpy(&ia, o, sizeof(ia));
                ia.pltime = ntohl(ia.pltime);
                ia.vltime = ntohl(ia.vltime);
                /* RFC 3315 22.6 */