Source-Changes-HG archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
[src/netbsd-7-0]: src/external/bsd/dhcpcd/dist Apply patch, requested by roy ...
details: https://anonhg.NetBSD.org/src/rev/5b69cf6d9a23
branches: netbsd-7-0
changeset: 450954:5b69cf6d9a23
user: martin <martin%NetBSD.org@localhost>
date: Wed May 01 09:26:23 2019 +0000
description:
Apply patch, requested by roy in ticket #1690:
external/bsd/dhcpcd/dist/configure
external/bsd/dhcpcd/dist/src/auth.c
external/bsd/dhcpcd/dist/src/dhcp.c
external/bsd/dhcpcd/dist/src/dhcp6.c
external/bsd/dhcpcd/dist/compat/consttime_memequal.h
Security fixes for dhcpcd:
Fix a potential 1 byte read overflow with DHO_OPTSOVERLOADED.
Use consttime_memequal(3) to compare hashes.
diffstat:
external/bsd/dhcpcd/dist/auth.c | 4 +-
external/bsd/dhcpcd/dist/dhcp.c | 76 ++++++++++++++++++++++++--------------
external/bsd/dhcpcd/dist/dhcpcd.h | 3 +-
3 files changed, 52 insertions(+), 31 deletions(-)
diffs (139 lines):
diff -r 5663fea43d02 -r 5b69cf6d9a23 external/bsd/dhcpcd/dist/auth.c
--- a/external/bsd/dhcpcd/dist/auth.c Fri Apr 19 16:05:05 2019 +0000
+++ b/external/bsd/dhcpcd/dist/auth.c Wed May 01 09:26:23 2019 +0000
@@ -1,5 +1,5 @@
#include <sys/cdefs.h>
- __RCSID("$NetBSD: auth.c,v 1.1.1.4.2.2 2015/02/05 15:13:12 martin Exp $");
+ __RCSID("$NetBSD: auth.c,v 1.1.1.4.2.2.2.1 2019/05/01 09:26:23 martin Exp $");
/*
* dhcpcd - DHCP client daemon
@@ -340,7 +340,7 @@
}
free(mm);
- if (memcmp(d, &hmac, dlen)) {
+ if (!consttime_memequal(d, &hmac, dlen)) {
errno = EPERM;
return NULL;
}
diff -r 5663fea43d02 -r 5b69cf6d9a23 external/bsd/dhcpcd/dist/dhcp.c
--- a/external/bsd/dhcpcd/dist/dhcp.c Fri Apr 19 16:05:05 2019 +0000
+++ b/external/bsd/dhcpcd/dist/dhcp.c Wed May 01 09:26:23 2019 +0000
@@ -1,5 +1,5 @@
#include <sys/cdefs.h>
- __RCSID("$NetBSD: dhcp.c,v 1.15.2.2 2015/02/05 15:13:12 martin Exp $");
+ __RCSID("$NetBSD: dhcp.c,v 1.15.2.2.2.1 2019/05/01 09:26:23 martin Exp $");
/*
* dhcpcd - DHCP client daemon
@@ -166,28 +166,6 @@
while (p < e) {
o = *p++;
- if (o == opt) {
- if (op) {
- if (!ctx->opt_buffer) {
- ctx->opt_buffer =
- malloc(DHCP_OPTION_LEN +
- BOOTFILE_LEN + SERVERNAME_LEN);
- if (ctx->opt_buffer == NULL)
- return NULL;
- }
- if (!bp)
- bp = ctx->opt_buffer;
- memcpy(bp, op, ol);
- bp += ol;
- }
- ol = *p;
- if (p + ol > e) {
- errno = EINVAL;
- return NULL;
- }
- op = p + 1;
- bl += ol;
- }
switch (o) {
case DHO_PAD:
continue;
@@ -205,16 +183,58 @@
} else
goto exit;
break;
- case DHO_OPTIONSOVERLOADED:
+ }
+
+ /* Check we can read the length */
+ if (p == e) {
+ errno = EINVAL;
+ return NULL;
+ }
+ l = *p++;
+
+ /* Check we can read the option data, if present */
+ if (p + l > e) {
+ errno = EINVAL;
+ return NULL;
+ }
+
+ if (o == DHO_OPTIONSOVERLOADED) {
/* Ensure we only get this option once by setting
* the last bit as well as the value.
* This is valid because only the first two bits
* actually mean anything in RFC2132 Section 9.3 */
- if (!overl)
- overl = 0x80 | p[1];
- break;
+ if (l == 1 && !overl)
+ overl = 0x80 | p[0];
}
- l = *p++;
+
+ if (o == opt) {
+ if (op) {
+ /* We must concatonate the options. */
+ if (bl + l > ctx->opt_buffer_len) {
+ size_t pos;
+ uint8_t *nb;
+
+ if (bp)
+ pos = (size_t)
+ (bp - ctx->opt_buffer);
+ else
+ pos = 0;
+ nb = realloc(ctx->opt_buffer, bl + l);
+ if (nb == NULL)
+ return NULL;
+ ctx->opt_buffer = nb;
+ ctx->opt_buffer_len = bl + l;
+ bp = ctx->opt_buffer + pos;
+ }
+ if (bp == NULL)
+ bp = ctx->opt_buffer;
+ memcpy(bp, op, ol);
+ bp += ol;
+ }
+ ol = l;
+ op = p;
+ bl += ol;
+ }
p += l;
}
diff -r 5663fea43d02 -r 5b69cf6d9a23 external/bsd/dhcpcd/dist/dhcpcd.h
--- a/external/bsd/dhcpcd/dist/dhcpcd.h Fri Apr 19 16:05:05 2019 +0000
+++ b/external/bsd/dhcpcd/dist/dhcpcd.h Wed May 01 09:26:23 2019 +0000
@@ -1,4 +1,4 @@
-/* $NetBSD: dhcpcd.h,v 1.1.1.19.2.2 2015/02/05 15:13:12 martin Exp $ */
+/* $NetBSD: dhcpcd.h,v 1.1.1.19.2.2.2.1 2019/05/01 09:26:23 martin Exp $ */
/*
* dhcpcd - DHCP client daemon
@@ -131,6 +131,7 @@
* We ONLY use this when options are split, which for most purposes is
* practically never. See RFC3396 for details. */
uint8_t *opt_buffer;
+ size_t opt_buffer_len;
#endif
#ifdef INET6
unsigned char secret[SECRET_LEN];
Home |
Main Index |
Thread Index |
Old Index