dhcp: add upstream security fixes
CVE-2018-5732: The DHCP client incorrectly handled certain malformed responses. A remote attacker could use this issue to cause the DHCP client to crash, resulting in a denial of service, or possibly execute arbitrary code. In the default installation, attackers would be isolated by the dhclient AppArmor profile. CVE-2018-5733: The DHCP server incorrectly handled reference counting. A remote attacker could possibly use this issue to cause the DHCP server to crash, resulting in a denial of service. Both issues are fixed in version 4.4.1. But we are close to release, so backport the fixes instead of bumping version. Signed-off-by: Baruch Siach <baruch@tkos.co.il> Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
This commit is contained in:
Baruch Siach
Peter Korsgaard
parent
00fc361b0a
commit
047cec5993
@ -0,0 +1,59 @@
|
||||
From b8c29336bd5401a5f962bc6ddfa4ebb6f0274f3c Mon Sep 17 00:00:00 2001
|
||||
From: Thomas Markwalder <tmark@isc.org>
|
||||
Date: Sat, 10 Feb 2018 12:15:27 -0500
|
||||
Subject: [PATCH 1/2] Correct buffer overrun in pretty_print_option
|
||||
|
||||
Merges in rt47139.
|
||||
|
||||
[baruch: drop RELNOTES and test; address CVE-2018-5732]
|
||||
Signed-off-by: Baruch Siach <baruch@tkos.co.il>
|
||||
---
|
||||
Upstream status: backported from commit c5931725b48
|
||||
---
|
||||
common/options.c | 15 ++++++++++++---
|
||||
1 file changed, 12 insertions(+), 3 deletions(-)
|
||||
|
||||
diff --git a/common/options.c b/common/options.c
|
||||
index 5547287fb6e5..2ed6b16c6412 100644
|
||||
--- a/common/options.c
|
||||
+++ b/common/options.c
|
||||
@@ -1758,7 +1758,8 @@ format_min_length(format, oc)
|
||||
|
||||
|
||||
/* Format the specified option so that a human can easily read it. */
|
||||
-
|
||||
+/* Maximum pretty printed size */
|
||||
+#define MAX_OUTPUT_SIZE 32*1024
|
||||
const char *pretty_print_option (option, data, len, emit_commas, emit_quotes)
|
||||
struct option *option;
|
||||
const unsigned char *data;
|
||||
@@ -1766,8 +1767,9 @@ const char *pretty_print_option (option, data, len, emit_commas, emit_quotes)
|
||||
int emit_commas;
|
||||
int emit_quotes;
|
||||
{
|
||||
- static char optbuf [32768]; /* XXX */
|
||||
- static char *endbuf = &optbuf[sizeof(optbuf)];
|
||||
+ /* We add 128 byte pad so we don't have to add checks everywhere. */
|
||||
+ static char optbuf [MAX_OUTPUT_SIZE + 128]; /* XXX */
|
||||
+ static char *endbuf = optbuf + MAX_OUTPUT_SIZE;
|
||||
int hunksize = 0;
|
||||
int opthunk = 0;
|
||||
int hunkinc = 0;
|
||||
@@ -2193,7 +2195,14 @@ const char *pretty_print_option (option, data, len, emit_commas, emit_quotes)
|
||||
log_error ("Unexpected format code %c",
|
||||
fmtbuf [j]);
|
||||
}
|
||||
+
|
||||
op += strlen (op);
|
||||
+ if (op >= endbuf) {
|
||||
+ log_error ("Option data exceeds"
|
||||
+ " maximum size %d", MAX_OUTPUT_SIZE);
|
||||
+ return ("<error>");
|
||||
+ }
|
||||
+
|
||||
if (dp == data + len)
|
||||
break;
|
||||
if (j + 1 < numelem && comma != ':')
|
||||
--
|
||||
2.16.1
|
||||
|
||||
@ -0,0 +1,40 @@
|
||||
From 93b5b67dd31b9efcbfaabc2df1e1d9d164a5e04a Mon Sep 17 00:00:00 2001
|
||||
From: Thomas Markwalder <tmark@isc.org>
|
||||
Date: Fri, 9 Feb 2018 14:46:08 -0500
|
||||
Subject: [PATCH 2/2] Corrected refcnt loss in option parsing
|
||||
|
||||
Merges in 47140.
|
||||
|
||||
[baruch: drop RELNOTES and tests; address CVE-2018-5733]
|
||||
Signed-off-by: Baruch Siach <baruch@tkos.co.il>
|
||||
---
|
||||
Upstream status: backported from commit 197b26f25309
|
||||
---
|
||||
common/options.c | 4 +++-
|
||||
1 file changed, 3 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/common/options.c b/common/options.c
|
||||
index 2ed6b16c6412..25b29a6be7bb 100644
|
||||
--- a/common/options.c
|
||||
+++ b/common/options.c
|
||||
@@ -3,7 +3,7 @@
|
||||
DHCP options parsing and reassembly. */
|
||||
|
||||
/*
|
||||
- * Copyright (c) 2004-2017 by Internet Systems Consortium, Inc. ("ISC")
|
||||
+ * Copyright (c) 2004-2018 by Internet Systems Consortium, Inc. ("ISC")
|
||||
* Copyright (c) 1995-2003 by Internet Software Consortium
|
||||
*
|
||||
* Permission to use, copy, modify, and distribute this software for any
|
||||
@@ -177,6 +177,8 @@ int parse_option_buffer (options, buffer, length, universe)
|
||||
|
||||
/* If the length is outrageous, the options are bad. */
|
||||
if (offset + len > length) {
|
||||
+ /* Avoid reference count overflow */
|
||||
+ option_dereference(&option, MDL);
|
||||
reason = "option length exceeds option buffer length";
|
||||
bogus:
|
||||
log_error("parse_option_buffer: malformed option "
|
||||
--
|
||||
2.16.1
|
||||
|
||||
Loading…
Reference in New Issue
Block a user