صفحهٔ اصلی گشت‌و‌گذار راهنما
ورود
erkanisik
/
core
mirrorاز https://github.com/pisilinux/core.git
دنبال کردن 1
ستاره دار 0
انشعاب 0
پرونده‌ها مشکلات 0 ویکی
شاخه: master
شاخه‌ها تگ‌ها
core
/
system
/
base
/
dhcpcd
/
files
/
dhcpcd-7.1.1-v6_read_overflow.patch

dhcpcd-7.1.1-v6_read_overflow.patch 3.3 KB
لینک دائمی تاريخچه خام

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121 
  1. From c1ebeaafeb324bac997984abdcee2d4e8b61a8a8 Mon Sep 17 00:00:00 2001
    2. 

  2. From: Roy Marples <roy@marples.name>
    3. 

  3. Date: Fri, 3 May 2019 14:44:06 +0100
    4. 

  4. Subject: DHCPv6: Fix a potential read overflow with D6_OPTION_PD_EXCLUDE
    5. 

  5. 

  6. dhcpcd only checks that the prefix length of the exclusion
    7. 

  7. matches the prefix length of the ia and equals the length of the
    8. 

  8. data in the option.
    9. 

  9. This could potentially overrun the in6_addr structure.
    10. 

  10. 

  11. This is fixed by enforcing RFC 6603 section 4.2 option limits
    12. 

  12. more clearly.
    13. 

  13. 

  14. Thanks to Maxime Villard <max@m00nbsd.net> for finding this.
    15. 

  15. ---
    16. 

  16.  src/dhcp6.c | 44 +++++++++++++++++++++-----------------------
    17. 

  17.  1 file changed, 21 insertions(+), 23 deletions(-)
    18. 

  18. 

  19. diff --git a/src/dhcp6.c b/src/dhcp6.c
    20. 

  20. index dee8d4b6..583f3b3f 100644
    21. 

  21. --- a/src/dhcp6.c
    22. 

  22. +++ b/src/dhcp6.c
    23. 

  23. @@ -2166,40 +2166,38 @@ dhcp6_findpd(struct interface *ifp, const uint8_t *iaid,
    24. 

  24.  			state->expire = a->prefix_vltime;
    25. 

  25.  		i++;
    26. 

  26.  
    27. 

  27. -		o = dhcp6_findoption(o, ol, D6_OPTION_PD_EXCLUDE, &ol);
    28. 

  28.  		a->prefix_exclude_len = 0;
    29. 

  29.  		memset(&a->prefix_exclude, 0, sizeof(a->prefix_exclude));
    30. 

  30. -#if 0
    31. 

  31. -		if (ex == NULL) {
    32. 

  32. -			struct dhcp6_option *w;
    33. 

  33. -			uint8_t *wp;
    34. 

  34. -
    35. 

  35. -			w = calloc(1, 128);
    36. 

  36. -			w->len = htons(2);
    37. 

  37. -			wp = D6_OPTION_DATA(w);
    38. 

  38. -			*wp++ = 64;
    39. 

  39. -			*wp++ = 0x78;
    40. 

  40. -			ex = w;
    41. 

  41. -		}
    42. 

  42. -#endif
    43. 

  43. +		o = dhcp6_findoption(o, ol, D6_OPTION_PD_EXCLUDE, &ol);
    44. 

  44.  		if (o == NULL)
    45. 

  45.  			continue;
    46. 

  46. -		if (ol < 2) {
    47. 

  47. -			logerrx("%s: truncated PD Exclude", ifp->name);
    48. 

  48. +
    49. 

  49. +		/* RFC 6603 4.2 says option length MUST be between 2 and 17.
    50. 

  50. +		 * This allows 1 octet for prefix length and 16 for the
    51. 

  51. +		 * subnet ID. */
    52. 

  52. +		if (ol < 2 || ol > 17) {
    53. 

  53. +			logerrx("%s: invalid PD Exclude option", ifp->name);
    54. 

  54.  			continue;
    55. 

  55.  		}
    56. 

  56. -		a->prefix_exclude_len = *o++;
    57. 

  57. -		ol--;
    58. 

  58. -		if (((a->prefix_exclude_len - a->prefix_len - 1) / NBBY) + 1
    59. 

  59. -		    != ol)
    60. 

  60. -		{
    61. 

  61. +
    62. 

  62. +		/* RFC 6603 4.2 says prefix length MUST be between the
    63. 

  63. +		 * length of the IAPREFIX prefix length + 1 and 128. */
    64. 

  64. +		if (*o < a->prefix_len + 1 || *o > 128) {
    65. 

  65. +			logerrx("%s: invalid PD Exclude length", ifp->name);
    66. 

  66. +			continue;
    67. 

  67. +		}
    68. 

  68. +
    69. 

  69. +		/* Check option length matches prefix length. */
    70. 

  70. +		if (((*o - a->prefix_len - 1) / NBBY) + 1 != ol) {
    71. 

  71.  			logerrx("%s: PD Exclude length mismatch", ifp->name);
    72. 

  72. -			a->prefix_exclude_len = 0;
    73. 

  73.  			continue;
    74. 

  74.  		}
    75. 

  75. -		nb = a->prefix_len % NBBY;
    76. 

  76. +
    77. 

  77. +		a->prefix_exclude_len = *o++;
    78. 

  78. +		ol--;
    79. 

  79.  		memcpy(&a->prefix_exclude, &a->prefix,
    80. 

  80.  		    sizeof(a->prefix_exclude));
    81. 

  81. +		nb = a->prefix_len % NBBY;
    82. 

  82.  		if (nb)
    83. 

  83.  			ol--;
    84. 

  84.  		pw = a->prefix_exclude.s6_addr +
    85. 

  85. -- 
    86. 

  86. cgit v1.2.1
    87. 

  87. 

  88. From 896ef4a54b0578985e5e1360b141593f1d62837b Mon Sep 17 00:00:00 2001
    89. 

  89. From: Roy Marples <roy@marples.name>
    90. 

  90. Date: Sat, 4 May 2019 10:19:02 +0100
    91. 

  91. Subject: DHCPv6: Fix exclude prefix length check.
    92. 

  92. 

  93. ---
    94. 

  94.  src/dhcp6.c | 4 ++--
    95. 

  95.  1 file changed, 2 insertions(+), 2 deletions(-)
    96. 

  96. 

  97. diff --git a/src/dhcp6.c b/src/dhcp6.c
    98. 

  98. index 583f3b3f..7f26129f 100644
    99. 

  99. --- a/src/dhcp6.c
    100. 

  100. +++ b/src/dhcp6.c
    101. 

  101. @@ -2187,14 +2187,14 @@ dhcp6_findpd(struct interface *ifp, const uint8_t *iaid,
    102. 

  102.  			continue;
    103. 

  103.  		}
    104. 

  104.  
    105. 

  105. +		ol--;
    106. 

  106.  		/* Check option length matches prefix length. */
    107. 

  107.  		if (((*o - a->prefix_len - 1) / NBBY) + 1 != ol) {
    108. 

  108.  			logerrx("%s: PD Exclude length mismatch", ifp->name);
    109. 

  109.  			continue;
    110. 

  110.  		}
    111. 

  111. -
    112. 

  112.  		a->prefix_exclude_len = *o++;
    113. 

  113. -		ol--;
    114. 

  114. +
    115. 

  115.  		memcpy(&a->prefix_exclude, &a->prefix,
    116. 

  116.  		    sizeof(a->prefix_exclude));
    117. 

  117.  		nb = a->prefix_len % NBBY;
    118. 

  118. -- 
    119. 

  119. cgit v1.2.1
    120. 

  120. 

  121.