CVS commit: [netbsd-7-1] src/external/bsd/dhcpcd/dist

[Martin Husemann]

Module Name:src
Committed By:   martin
Date:   Sun May  5 09:07:17 UTC 2019

Modified Files:
src/external/bsd/dhcpcd/dist [netbsd-7-1]: dhcp6.c

Log Message:
Apply patch, requested by roy in ticket #1695:

external/bsd/dhcpcd/dist/src/dhcp6.c

DHCPv6: Fix a potential read overflow with D6_OPTION_PD_EXCLUDE


To generate a diff of this commit:
cvs rdiff -u -r1.1.1.13.2.2 -r1.1.1.13.2.2.6.1 \
src/external/bsd/dhcpcd/dist/dhcp6.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/external/bsd/dhcpcd/dist/dhcp6.c
diff -u src/external/bsd/dhcpcd/dist/dhcp6.c:1.1.1.13.2.2 src/external/bsd/dhcpcd/dist/dhcp6.c:1.1.1.13.2.2.6.1
--- src/external/bsd/dhcpcd/dist/dhcp6.c:1.1.1.13.2.2	Thu Feb  5 15:13:12 2015
+++ src/external/bsd/dhcpcd/dist/dhcp6.c	Sun May  5 09:07:17 2019
@@ -1,5 +1,5 @@
 #include 
- __RCSID("$NetBSD: dhcp6.c,v 1.1.1.13.2.2 2015/02/05 15:13:12 martin Exp $");
+ __RCSID("$NetBSD: dhcp6.c,v 1.1.1.13.2.2.6.1 2019/05/05 09:07:17 martin Exp $");
 
 /*
  * dhcpcd - DHCP client daemon
@@ -1856,38 +1856,39 @@ dhcp6_findpd(struct interface *ifp, cons
 		ex = dhcp6_findoption(D6_OPTION_PD_EXCLUDE, p, ol);
 		a->prefix_exclude_len = 0;
 		memset(>prefix_exclude, 0, sizeof(a->prefix_exclude));
-#if 0
-		if (ex == NULL) {
-			struct dhcp6_option *w;
-			uint8_t *wp;
-
-			w = calloc(1, 128);
-			w->len = htons(2);
-			wp = D6_OPTION_DATA(w);
-			*wp++ = 64;
-			*wp++ = 0x78;
-			ex = w;
-		}
-#endif
 		if (ex == NULL)
 			continue;
+
 		ol = ntohs(ex->len);
-		if (ol < 2) {
-			syslog(LOG_ERR, "%s: truncated PD Exclude",
-			ifp->name);
+
+		/* RFC 6603 4.2 says option length MUST be between 2 and 17.
+		 * This allows 1 octet for prefix length and 16 for the
+		 * subnet ID. */
+		if (ol < 2 || ol > 17) {
+			syslog(LOG_ERR,
+			"%s: invalid PD Exclude option", ifp->name);
 			continue;
 		}
+
 		op = D6_COPTION_DATA(ex);
-		a->prefix_exclude_len = *op++;
+		/* RFC 6603 4.2 says prefix length MUST be between the
+		 * length of the IAPREFIX prefix length + 1 and 128. */
+		if (*op < a->prefix_len + 1 || *op > 128) {
+			syslog(LOG_ERR,
+			"%s: invalid PD Exclude length", ifp->name);
+			continue;
+		}
+
+		/* Check option length matches prefix length. */
 		ol--;
-		if (((a->prefix_exclude_len - a->prefix_len - 1) / NBBY) + 1
-		!= ol)
-		{
-			syslog(LOG_ERR, "%s: PD Exclude length mismatch",
-			ifp->name);
+		if (((*op - a->prefix_len - 1) / NBBY) + 1 != ol) {
+			syslog(LOG_ERR,
+			"%s: PD Exclude length mismatch", ifp->name);
 			a->prefix_exclude_len = 0;
 			continue;
 		}
+		a->prefix_exclude_len = *op++;
+
 		u8 = a->prefix_len % NBBY;
 		memcpy(>prefix_exclude, >prefix,
 		sizeof(a->prefix_exclude));

CVS commit: [netbsd-7-1] src/external/bsd/dhcpcd/dist

[Martin Husemann]

Module Name:src
Committed By:   martin
Date:   Wed May  1 09:25:16 UTC 2019

Modified Files:
src/external/bsd/dhcpcd/dist [netbsd-7-1]: auth.c dhcp.c dhcpcd.h

Log Message:
Apply patch, requested by roy in ticket #1690:

external/bsd/dhcpcd/dist/configure
external/bsd/dhcpcd/dist/src/auth.c
external/bsd/dhcpcd/dist/src/dhcp.c
external/bsd/dhcpcd/dist/src/dhcp6.c
external/bsd/dhcpcd/dist/compat/consttime_memequal.h

Security fixes for dhcpcd:
Fix a potential 1 byte read overflow with DHO_OPTSOVERLOADED.
Use consttime_memequal(3) to compare hashes.


To generate a diff of this commit:
cvs rdiff -u -r1.1.1.4.2.2 -r1.1.1.4.2.2.6.1 \
src/external/bsd/dhcpcd/dist/auth.c
cvs rdiff -u -r1.15.2.2 -r1.15.2.2.6.1 src/external/bsd/dhcpcd/dist/dhcp.c
cvs rdiff -u -r1.1.1.19.2.2 -r1.1.1.19.2.2.6.1 \
src/external/bsd/dhcpcd/dist/dhcpcd.h

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/external/bsd/dhcpcd/dist/auth.c
diff -u src/external/bsd/dhcpcd/dist/auth.c:1.1.1.4.2.2 src/external/bsd/dhcpcd/dist/auth.c:1.1.1.4.2.2.6.1
--- src/external/bsd/dhcpcd/dist/auth.c:1.1.1.4.2.2	Thu Feb  5 15:13:12 2015
+++ src/external/bsd/dhcpcd/dist/auth.c	Wed May  1 09:25:16 2019
@@ -1,5 +1,5 @@
 #include 
- __RCSID("$NetBSD: auth.c,v 1.1.1.4.2.2 2015/02/05 15:13:12 martin Exp $");
+ __RCSID("$NetBSD: auth.c,v 1.1.1.4.2.2.6.1 2019/05/01 09:25:16 martin Exp $");
 
 /*
  * dhcpcd - DHCP client daemon
@@ -340,7 +340,7 @@ gottoken:
 	}
 
 	free(mm);
-	if (memcmp(d, , dlen)) {
+	if (!consttime_memequal(d, , dlen)) {
 		errno = EPERM;
 		return NULL;
 	}

Index: src/external/bsd/dhcpcd/dist/dhcp.c
diff -u src/external/bsd/dhcpcd/dist/dhcp.c:1.15.2.2 src/external/bsd/dhcpcd/dist/dhcp.c:1.15.2.2.6.1
--- src/external/bsd/dhcpcd/dist/dhcp.c:1.15.2.2	Thu Feb  5 15:13:12 2015
+++ src/external/bsd/dhcpcd/dist/dhcp.c	Wed May  1 09:25:16 2019
@@ -1,5 +1,5 @@
 #include 
- __RCSID("$NetBSD: dhcp.c,v 1.15.2.2 2015/02/05 15:13:12 martin Exp $");
+ __RCSID("$NetBSD: dhcp.c,v 1.15.2.2.6.1 2019/05/01 09:25:16 martin Exp $");
 
 /*
  * dhcpcd - DHCP client daemon
@@ -166,28 +166,6 @@ get_option(struct dhcpcd_ctx *ctx,
 
 	while (p < e) {
 		o = *p++;
-		if (o == opt) {
-			if (op) {
-if (!ctx->opt_buffer) {
-	ctx->opt_buffer =
-	malloc(DHCP_OPTION_LEN +
-	BOOTFILE_LEN + SERVERNAME_LEN);
-	if (ctx->opt_buffer == NULL)
-		return NULL;
-}
-if (!bp)
-	bp = ctx->opt_buffer;
-memcpy(bp, op, ol);
-bp += ol;
-			}
-			ol = *p;
-			if (p + ol > e) {
-errno = EINVAL;
-return NULL;
-			}
-			op = p + 1;
-			bl += ol;
-		}
 		switch (o) {
 		case DHO_PAD:
 			continue;
@@ -205,16 +183,58 @@ get_option(struct dhcpcd_ctx *ctx,
 			} else
 goto exit;
 			break;
-		case DHO_OPTIONSOVERLOADED:
+		}
+
+		/* Check we can read the length */
+		if (p == e) {
+			errno = EINVAL;
+			return NULL;
+		}
+		l = *p++;
+
+		/* Check we can read the option data, if present */
+		if (p + l > e) {
+			errno = EINVAL;
+			return NULL;
+		}
+
+		if (o == DHO_OPTIONSOVERLOADED) {
 			/* Ensure we only get this option once by setting
 			 * the last bit as well as the value.
 			 * This is valid because only the first two bits
 			 * actually mean anything in RFC2132 Section 9.3 */
-			if (!overl)
-overl = 0x80 | p[1];
-			break;
+			if (l == 1 && !overl)
+overl = 0x80 | p[0];
+		}
+
+		if (o == opt) {
+			if (op) {
+/* We must concatonate the options. */
+if (bl + l > ctx->opt_buffer_len) {
+	size_t pos;
+	uint8_t *nb;
+
+	if (bp)
+		pos = (size_t)
+		(bp - ctx->opt_buffer);
+	else
+		pos = 0;
+	nb = realloc(ctx->opt_buffer, bl + l);
+	if (nb == NULL)
+		return NULL;
+	ctx->opt_buffer = nb;
+	ctx->opt_buffer_len = bl + l;
+	bp = ctx->opt_buffer + pos;
+}
+if (bp == NULL)
+	bp = ctx->opt_buffer;
+memcpy(bp, op, ol);
+bp += ol;
+			}
+			ol = l;
+			op = p;
+			bl += ol;
 		}
-		l = *p++;
 		p += l;
 	}
 

Index: src/external/bsd/dhcpcd/dist/dhcpcd.h
diff -u src/external/bsd/dhcpcd/dist/dhcpcd.h:1.1.1.19.2.2 src/external/bsd/dhcpcd/dist/dhcpcd.h:1.1.1.19.2.2.6.1
--- src/external/bsd/dhcpcd/dist/dhcpcd.h:1.1.1.19.2.2	Thu Feb  5 15:13:12 2015
+++ src/external/bsd/dhcpcd/dist/dhcpcd.h	Wed May  1 09:25:16 2019
@@ -1,4 +1,4 @@
-/* $NetBSD: dhcpcd.h,v 1.1.1.19.2.2 2015/02/05 15:13:12 martin Exp $ */
+/* $NetBSD: dhcpcd.h,v 1.1.1.19.2.2.6.1 2019/05/01 09:25:16 martin Exp $ */
 
 /*
  * dhcpcd - DHCP client daemon
@@ -131,6 +131,7 @@ struct dhcpcd_ctx {
 	 * We ONLY use this when options are split, which for most purposes is
 	 * practically never. See RFC3396 for details. */
 	uint8_t *opt_buffer;
+	size_t opt_buffer_len;
 #endif
 #ifdef INET6
 	unsigned char secret[SECRET_LEN];