[src/netbsd-7]: src/external/bsd/dhcpcd/dist/src Apply patch, requested by ro...

[martin <martin%NetBSD.org@localhost>]

details:   https://anonhg.NetBSD.org/src/rev/696f670f137e
branches:  netbsd-7
changeset: 800651:696f670f137e
user:      martin <martin%NetBSD.org@localhost>
date:      Sun May 05 09:02:45 2019 +0000

description:
Apply patch, requested by roy in ticket #1695:

        external/bsd/dhcpcd/dist/src/dhcp6.c

DHCPv6: Fix a potential read overflow with D6_OPTION_PD_EXCLUDE

diffstat:

 external/bsd/dhcpcd/dist/src/dhcp6.c |  48 +++++++++++++++++------------------
 1 files changed, 23 insertions(+), 25 deletions(-)

diffs (67 lines):

diff -r 5bd3bb57bcd7 -r 696f670f137e external/bsd/dhcpcd/dist/src/dhcp6.c
--- a/external/bsd/dhcpcd/dist/src/dhcp6.c      Sun May 05 08:48:13 2019 +0000
+++ b/external/bsd/dhcpcd/dist/src/dhcp6.c      Sun May 05 09:02:45 2019 +0000
@@ -2152,40 +2152,38 @@
                        state->expire = a->prefix_vltime;
                i++;
 
-               o = dhcp6_findoption(o, ol, D6_OPTION_PD_EXCLUDE, &ol);
                a->prefix_exclude_len = 0;
                memset(&a->prefix_exclude, 0, sizeof(a->prefix_exclude));
-#if 0
-               if (ex == NULL) {
-                       struct dhcp6_option *w;
-                       uint8_t *wp;
-
-                       w = calloc(1, 128);
-                       w->len = htons(2);
-                       wp = D6_OPTION_DATA(w);
-                       *wp++ = 64;
-                       *wp++ = 0x78;
-                       ex = w;
-               }
-#endif
+               o = dhcp6_findoption(o, ol, D6_OPTION_PD_EXCLUDE, &ol);
                if (o == NULL)
                        continue;
-               if (ol < 2) {
-                       logerrx("%s: truncated PD Exclude", ifp->name);
+
+               /* RFC 6603 4.2 says option length MUST be between 2 and 17.
+                * This allows 1 octet for prefix length and 16 for the
+                * subnet ID. */
+               if (ol < 2 || ol > 17) {
+                       logerrx("%s: invalid PD Exclude option", ifp->name);
+                       continue;
+               }
+
+               /* RFC 6603 4.2 says prefix length MUST be between the
+                * length of the IAPREFIX prefix length + 1 and 128. */
+               if (*o < a->prefix_len + 1 || *o > 128) {
+                       logerrx("%s: invalid PD Exclude length", ifp->name);
+                       continue;
+               }
+
+               ol--;
+               /* Check option length matches prefix length. */
+               if (((*o - a->prefix_len - 1) / NBBY) + 1 != ol) {
+                       logerrx("%s: PD Exclude length mismatch", ifp->name);
                        continue;
                }
                a->prefix_exclude_len = *o++;
-               ol--;
-               if (((a->prefix_exclude_len - a->prefix_len - 1) / NBBY) + 1
-                   != ol)
-               {
-                       logerrx("%s: PD Exclude length mismatch", ifp->name);
-                       a->prefix_exclude_len = 0;
-                       continue;
-               }
-               nb = a->prefix_len % NBBY;
+
                memcpy(&a->prefix_exclude, &a->prefix,
                    sizeof(a->prefix_exclude));
+               nb = a->prefix_len % NBBY;
                if (nb)
                        ol--;
                pw = a->prefix_exclude.s6_addr +