kumquat-buildroot/package/dhcp/0003-Correct-buffer-overrun-in-pretty_print_option.patch

From b8c29336bd5401a5f962bc6ddfa4ebb6f0274f3c Mon Sep 17 00:00:00 2001
From: Thomas Markwalder <tmark@isc.org>
Date: Sat, 10 Feb 2018 12:15:27 -0500
Subject: [PATCH 1/2] Correct buffer overrun in pretty_print_option

    Merges in rt47139.

[baruch: drop RELNOTES and test; address CVE-2018-5732]
Signed-off-by: Baruch Siach <baruch@tkos.co.il>
---
Upstream status: backported from commit c5931725b48
---
 common/options.c | 15 ++++++++++++---
 1 file changed, 12 insertions(+), 3 deletions(-)

diff --git a/common/options.c b/common/options.c
index 5547287fb6e5..2ed6b16c6412 100644
--- a/common/options.c
+++ b/common/options.c
@@ -1758,7 +1758,8 @@ format_min_length(format, oc)
 
 
 /* Format the specified option so that a human can easily read it. */
-
+/* Maximum pretty printed size */
+#define MAX_OUTPUT_SIZE 32*1024
 const char *pretty_print_option (option, data, len, emit_commas, emit_quotes)
 	struct option *option;
 	const unsigned char *data;
@@ -1766,8 +1767,9 @@ const char *pretty_print_option (option, data, len, emit_commas, emit_quotes)
 	int emit_commas;
 	int emit_quotes;
 {
-	static char optbuf [32768]; /* XXX */
-	static char *endbuf = &optbuf[sizeof(optbuf)];
+	/* We add 128 byte pad so we don't have to add checks everywhere. */
+	static char optbuf [MAX_OUTPUT_SIZE + 128]; /* XXX */
+	static char *endbuf = optbuf + MAX_OUTPUT_SIZE;
 	int hunksize = 0;
 	int opthunk = 0;
 	int hunkinc = 0;
@@ -2193,7 +2195,14 @@ const char *pretty_print_option (option, data, len, emit_commas, emit_quotes)
 				log_error ("Unexpected format code %c",
 					   fmtbuf [j]);
 			}
+
 			op += strlen (op);
+			if (op >= endbuf) {
+				log_error ("Option data exceeds"
+					   " maximum size %d", MAX_OUTPUT_SIZE);
+					   return ("<error>");
+			}
+
 			if (dp == data + len)
 				break;
 			if (j + 1 < numelem && comma != ':')
-- 
2.16.1
dhcp: add upstream security fixes CVE-2018-5732: The DHCP client incorrectly handled certain malformed responses. A remote attacker could use this issue to cause the DHCP client to crash, resulting in a denial of service, or possibly execute arbitrary code. In the default installation, attackers would be isolated by the dhclient AppArmor profile. CVE-2018-5733: The DHCP server incorrectly handled reference counting. A remote attacker could possibly use this issue to cause the DHCP server to crash, resulting in a denial of service. Both issues are fixed in version 4.4.1. But we are close to release, so backport the fixes instead of bumping version. Signed-off-by: Baruch Siach <baruch@tkos.co.il> Signed-off-by: Peter Korsgaard <peter@korsgaard.com> 2018-03-03 20:43:56 +01:00			`From b8c29336bd5401a5f962bc6ddfa4ebb6f0274f3c Mon Sep 17 00:00:00 2001`
			`From: Thomas Markwalder <tmark@isc.org>`
			`Date: Sat, 10 Feb 2018 12:15:27 -0500`
			`Subject: [PATCH 1/2] Correct buffer overrun in pretty_print_option`

			`Merges in rt47139.`

			`[baruch: drop RELNOTES and test; address CVE-2018-5732]`
			`Signed-off-by: Baruch Siach <baruch@tkos.co.il>`
			`---`
			`Upstream status: backported from commit c5931725b48`
			`---`
			`common/options.c \| 15 ++++++++++++---`
			`1 file changed, 12 insertions(+), 3 deletions(-)`

			`diff --git a/common/options.c b/common/options.c`
			`index 5547287fb6e5..2ed6b16c6412 100644`
			`--- a/common/options.c`
			`+++ b/common/options.c`
			`@@ -1758,7 +1758,8 @@ format_min_length(format, oc)`


			`/* Format the specified option so that a human can easily read it. */`
			`-`
			`+/* Maximum pretty printed size */`
			`+#define MAX_OUTPUT_SIZE 32*1024`
			`const char *pretty_print_option (option, data, len, emit_commas, emit_quotes)`
			`struct option *option;`
			`const unsigned char *data;`
			`@@ -1766,8 +1767,9 @@ const char *pretty_print_option (option, data, len, emit_commas, emit_quotes)`
			`int emit_commas;`
			`int emit_quotes;`
			`{`
			`- static char optbuf [32768]; /* XXX */`
			`- static char *endbuf = &optbuf[sizeof(optbuf)];`
			`+ /* We add 128 byte pad so we don't have to add checks everywhere. */`
			`+ static char optbuf [MAX_OUTPUT_SIZE + 128]; /* XXX */`
			`+ static char *endbuf = optbuf + MAX_OUTPUT_SIZE;`
			`int hunksize = 0;`
			`int opthunk = 0;`
			`int hunkinc = 0;`
			`@@ -2193,7 +2195,14 @@ const char *pretty_print_option (option, data, len, emit_commas, emit_quotes)`
			`log_error ("Unexpected format code %c",`
			`fmtbuf [j]);`
			`}`
			`+`
			`op += strlen (op);`
			`+ if (op >= endbuf) {`
			`+ log_error ("Option data exceeds"`
			`+ " maximum size %d", MAX_OUTPUT_SIZE);`
			`+ return ("<error>");`
			`+ }`
			`+`
			`if (dp == data + len)`
			`break;`
			`if (j + 1 < numelem && comma != ':')`
			`--`
			`2.16.1`