[src/netbsd-7-1]: src/external/bsd/dhcpcd/dist Apply patch, requested by roy ...

To: source-changes-hg%NetBSD.org@localhost
Subject: [src/netbsd-7-1]: src/external/bsd/dhcpcd/dist Apply patch, requested by roy ...
From: martin <martin%NetBSD.org@localhost>
Date: Wed, 01 May 2019 12:39:28 +0000

details:   https://anonhg.NetBSD.org/src/rev/ceed0913a61b
branches:  netbsd-7-1
changeset: 450952:ceed0913a61b
user:      martin <martin%NetBSD.org@localhost>
date:      Wed May 01 09:25:16 2019 +0000

description:
Apply patch, requested by roy in ticket #1690:

        external/bsd/dhcpcd/dist/configure
        external/bsd/dhcpcd/dist/src/auth.c
        external/bsd/dhcpcd/dist/src/dhcp.c
        external/bsd/dhcpcd/dist/src/dhcp6.c
        external/bsd/dhcpcd/dist/compat/consttime_memequal.h

Security fixes for dhcpcd:
Fix a potential 1 byte read overflow with DHO_OPTSOVERLOADED.
Use consttime_memequal(3) to compare hashes.

diffstat:

 external/bsd/dhcpcd/dist/auth.c   |   4 +-
 external/bsd/dhcpcd/dist/dhcp.c   |  76 ++++++++++++++++++++++++--------------
 external/bsd/dhcpcd/dist/dhcpcd.h |   3 +-
 3 files changed, 52 insertions(+), 31 deletions(-)

diffs (139 lines):

diff -r 6a745f747342 -r ceed0913a61b external/bsd/dhcpcd/dist/auth.c
--- a/external/bsd/dhcpcd/dist/auth.c   Fri Apr 19 16:02:50 2019 +0000
+++ b/external/bsd/dhcpcd/dist/auth.c   Wed May 01 09:25:16 2019 +0000
@@ -1,5 +1,5 @@
 #include <sys/cdefs.h>
- __RCSID("$NetBSD: auth.c,v 1.1.1.4.2.2 2015/02/05 15:13:12 martin Exp $");
+ __RCSID("$NetBSD: auth.c,v 1.1.1.4.2.2.6.1 2019/05/01 09:25:16 martin Exp $");
 
 /*
  * dhcpcd - DHCP client daemon
@@ -340,7 +340,7 @@
        }
 
        free(mm);
-       if (memcmp(d, &hmac, dlen)) {
+       if (!consttime_memequal(d, &hmac, dlen)) {
                errno = EPERM;
                return NULL;
        }
diff -r 6a745f747342 -r ceed0913a61b external/bsd/dhcpcd/dist/dhcp.c
--- a/external/bsd/dhcpcd/dist/dhcp.c   Fri Apr 19 16:02:50 2019 +0000
+++ b/external/bsd/dhcpcd/dist/dhcp.c   Wed May 01 09:25:16 2019 +0000
@@ -1,5 +1,5 @@
 #include <sys/cdefs.h>
- __RCSID("$NetBSD: dhcp.c,v 1.15.2.2 2015/02/05 15:13:12 martin Exp $");
+ __RCSID("$NetBSD: dhcp.c,v 1.15.2.2.6.1 2019/05/01 09:25:16 martin Exp $");
 
 /*
  * dhcpcd - DHCP client daemon
@@ -166,28 +166,6 @@
 
        while (p < e) {
                o = *p++;
-               if (o == opt) {
-                       if (op) {
-                               if (!ctx->opt_buffer) {
-                                       ctx->opt_buffer =
-                                           malloc(DHCP_OPTION_LEN +
-                                           BOOTFILE_LEN + SERVERNAME_LEN);
-                                       if (ctx->opt_buffer == NULL)
-                                               return NULL;
-                               }
-                               if (!bp)
-                                       bp = ctx->opt_buffer;
-                               memcpy(bp, op, ol);
-                               bp += ol;
-                       }
-                       ol = *p;
-                       if (p + ol > e) {
-                               errno = EINVAL;
-                               return NULL;
-                       }
-                       op = p + 1;
-                       bl += ol;
-               }
                switch (o) {
                case DHO_PAD:
                        continue;
@@ -205,16 +183,58 @@
                        } else
                                goto exit;
                        break;
-               case DHO_OPTIONSOVERLOADED:
+               }
+
+               /* Check we can read the length */
+               if (p == e) {
+                       errno = EINVAL;
+                       return NULL;
+               }
+               l = *p++;
+
+               /* Check we can read the option data, if present */
+               if (p + l > e) {
+                       errno = EINVAL;
+                       return NULL;
+               }
+
+               if (o == DHO_OPTIONSOVERLOADED) {
                        /* Ensure we only get this option once by setting
                         * the last bit as well as the value.
                         * This is valid because only the first two bits
                         * actually mean anything in RFC2132 Section 9.3 */
-                       if (!overl)
-                               overl = 0x80 | p[1];
-                       break;
+                       if (l == 1 && !overl)
+                               overl = 0x80 | p[0];
                }
-               l = *p++;
+
+               if (o == opt) {
+                       if (op) {
+                               /* We must concatonate the options. */
+                               if (bl + l > ctx->opt_buffer_len) {
+                                       size_t pos;
+                                       uint8_t *nb;
+
+                                       if (bp)
+                                               pos = (size_t)
+                                                   (bp - ctx->opt_buffer);
+                                       else
+                                               pos = 0;
+                                       nb = realloc(ctx->opt_buffer, bl + l);
+                                       if (nb == NULL)
+                                               return NULL;
+                                       ctx->opt_buffer = nb;
+                                       ctx->opt_buffer_len = bl + l;
+                                       bp = ctx->opt_buffer + pos;
+                               }
+                               if (bp == NULL)
+                                       bp = ctx->opt_buffer;
+                               memcpy(bp, op, ol);
+                               bp += ol;
+                       }
+                       ol = l;
+                       op = p;
+                       bl += ol;
+               }
                p += l;
        }
 
diff -r 6a745f747342 -r ceed0913a61b external/bsd/dhcpcd/dist/dhcpcd.h
--- a/external/bsd/dhcpcd/dist/dhcpcd.h Fri Apr 19 16:02:50 2019 +0000
+++ b/external/bsd/dhcpcd/dist/dhcpcd.h Wed May 01 09:25:16 2019 +0000
@@ -1,4 +1,4 @@
-/* $NetBSD: dhcpcd.h,v 1.1.1.19.2.2 2015/02/05 15:13:12 martin Exp $ */
+/* $NetBSD: dhcpcd.h,v 1.1.1.19.2.2.6.1 2019/05/01 09:25:16 martin Exp $ */
 
 /*
  * dhcpcd - DHCP client daemon
@@ -131,6 +131,7 @@
         * We ONLY use this when options are split, which for most purposes is
         * practically never. See RFC3396 for details. */
        uint8_t *opt_buffer;
+       size_t opt_buffer_len;
 #endif
 #ifdef INET6
        unsigned char secret[SECRET_LEN];

Prev by Date: [src/netbsd-8]: src/doc Tickets #1251 - #1253
Next by Date: [src/netbsd-7-1]: src/doc Ticket #1690
Previous by Thread: [src/netbsd-8]: src/doc Tickets #1251 - #1253
Next by Thread: [src/netbsd-7-1]: src/doc Ticket #1690
Indexes:

Home | Main Index | Thread Index | Old Index