CVS commit: src/external/bsd/dhcp/dist/common
Module Name:src Committed By: christos Date: Fri Jan 8 23:09:41 UTC 2016 Modified Files: src/external/bsd/dhcp/dist/common: packet.c Log Message: Check correctly the packet length (CVE-2015-8605) XXX: pullup-6, pullup-7 To generate a diff of this commit: cvs rdiff -u -r1.1.1.4 -r1.2 src/external/bsd/dhcp/dist/common/packet.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/external/bsd/dhcp/dist/common/packet.c diff -u src/external/bsd/dhcp/dist/common/packet.c:1.1.1.4 src/external/bsd/dhcp/dist/common/packet.c:1.2 --- src/external/bsd/dhcp/dist/common/packet.c:1.1.1.4 Sat Jul 12 07:57:46 2014 +++ src/external/bsd/dhcp/dist/common/packet.c Fri Jan 8 18:09:41 2016 @@ -1,4 +1,4 @@ -/* $NetBSD: packet.c,v 1.1.1.4 2014/07/12 11:57:46 spz Exp $ */ +/* $NetBSD: packet.c,v 1.2 2016/01/08 23:09:41 christos Exp $ */ /* packet.c Packet assembly code, originally contributed by Archie Cobbs. */ @@ -34,7 +34,7 @@ */ #include -__RCSID("$NetBSD: packet.c,v 1.1.1.4 2014/07/12 11:57:46 spz Exp $"); +__RCSID("$NetBSD: packet.c,v 1.2 2016/01/08 23:09:41 christos Exp $"); #include "dhcpd.h" @@ -224,7 +224,28 @@ ssize_t decode_hw_header (interface, buf } } -/* UDP header and IP header decoded together for convenience. */ +/*! + * + * \brief UDP header and IP header decoded together for convenience. + * + * Attempt to decode the UDP and IP headers and, if necessary, checksum + * the packet. + * + * \param inteface - the interface on which the packet was recevied + * \param buf - a pointer to the buffer for the received packet + * \param bufix - where to start processing the buffer, previous + *routines may have processed parts of the buffer already + * \param from - space to return the address of the packet sender + * \param buflen - remaining length of the buffer, this will have been + * decremented by bufix by the caller + * \param rbuflen - space to return the length of the payload from the udp + * header + * \param csum_ready - indication if the checksum is valid for use + * non-zero indicates the checksum should be validated + * + * \return - the index to the first byte of the udp payload (that is the + * start of the DHCP packet + */ ssize_t decode_udp_ip_header(struct interface_info *interface, @@ -235,7 +256,7 @@ decode_udp_ip_header(struct interface_in unsigned char *data; struct ip ip; struct udphdr udp; - unsigned char *upp, *endbuf; + unsigned char *upp; u_int32_t ip_len, ulen, pkt_len; u_int32_t sum, usum; static int ip_packets_seen; @@ -246,11 +267,8 @@ decode_udp_ip_header(struct interface_in static int udp_packets_length_overflow; unsigned len; - /* Designate the end of the input buffer for bounds checks. */ - endbuf = buf + bufix + buflen; - /* Assure there is at least an IP header there. */ - if ((buf + bufix + sizeof(ip)) > endbuf) + if (sizeof(ip) > buflen) return -1; /* Copy the IP header into a stack aligned structure for inspection. @@ -262,13 +280,17 @@ decode_udp_ip_header(struct interface_in ip_len = (*upp & 0x0f) << 2; upp += ip_len; - /* Check the IP packet length. */ + /* Check packet lengths are within the buffer: + * first the ip header (ip_len) + * then the packet length from the ip header (pkt_len) + * then the udp header (ip_len + sizeof(udp) + * We are liberal in what we accept, the udp payload should fit within + * pkt_len, but we only check against the full buffer size. + */ pkt_len = ntohs(ip.ip_len); - if (pkt_len > buflen) - return -1; - - /* Assure after ip_len bytes that there is enough room for a UDP header. */ - if ((upp + sizeof(udp)) > endbuf) + if ((ip_len > buflen) || + (pkt_len > buflen) || + ((ip_len + sizeof(udp)) > buflen)) return -1; /* Copy the UDP header into a stack aligned structure for inspection. */ @@ -289,7 +311,8 @@ decode_udp_ip_header(struct interface_in return -1; udp_packets_length_checked++; - if ((upp + ulen) > endbuf) { + /* verify that the payload length from the udp packet fits in the buffer */ + if ((ip_len + ulen) > buflen) { udp_packets_length_overflow++; if ((udp_packets_length_checked > 4) && ((udp_packets_length_checked / @@ -303,9 +326,6 @@ decode_udp_ip_header(struct interface_in return -1; } - if ((ulen < sizeof(udp)) || ((upp + ulen) > endbuf)) - return -1; - /* Check the IP header checksum - it should be zero. */ ++ip_packets_seen; if (wrapsum (checksum (buf + bufix, ip_len, 0))) {
CVS commit: src/external/bsd/dhcp/dist/common
Module Name:src Committed By: christos Date: Fri Jan 8 23:09:41 UTC 2016 Modified Files: src/external/bsd/dhcp/dist/common: packet.c Log Message: Check correctly the packet length (CVE-2015-8605) XXX: pullup-6, pullup-7 To generate a diff of this commit: cvs rdiff -u -r1.1.1.4 -r1.2 src/external/bsd/dhcp/dist/common/packet.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
Re: CVS commit: src/external/bsd/dhcp/dist/common
Hi, 2014-03-07 10:04 GMT+09:00 Christos Zoulas chris...@netbsd.org: Module Name:src Committed By: christos Date: Fri Mar 7 01:04:30 UTC 2014 Modified Files: src/external/bsd/dhcp/dist/common: ns_name.c Log Message: fix incorrect overflow test: https://android-review.googlesource.com/#/c/50570/ compile failed. - /usr/src/external/bsd/dhcp/lib/common/../../dist/common/ns_name.c: In function ' MRns_name_unpack': /usr/src/external/bsd/dhcp/lib/common/../../dist/common/ns_name.c:348:27: error: expected expression before '/' token if (n = eom - msg) { / Out of range. */ ^ *** [ns_name.o] Error code 1 - Regards, -- NONAKA Kimihiro
CVS commit: src/external/bsd/dhcp/dist/common
Module Name:src Committed By: christos Date: Fri Mar 7 01:04:30 UTC 2014 Modified Files: src/external/bsd/dhcp/dist/common: ns_name.c Log Message: fix incorrect overflow test: https://android-review.googlesource.com/#/c/50570/ To generate a diff of this commit: cvs rdiff -u -r1.4 -r1.5 src/external/bsd/dhcp/dist/common/ns_name.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/external/bsd/dhcp/dist/common/ns_name.c diff -u src/external/bsd/dhcp/dist/common/ns_name.c:1.4 src/external/bsd/dhcp/dist/common/ns_name.c:1.5 --- src/external/bsd/dhcp/dist/common/ns_name.c:1.4 Tue Mar 26 20:38:08 2013 +++ src/external/bsd/dhcp/dist/common/ns_name.c Thu Mar 6 20:04:29 2014 @@ -1,4 +1,4 @@ -/* $NetBSD: ns_name.c,v 1.4 2013/03/27 00:38:08 christos Exp $ */ +/* $NetBSD: ns_name.c,v 1.5 2014/03/07 01:04:29 christos Exp $ */ /* * Copyright (c) 2004,2009 by Internet Systems Consortium, Inc. (ISC) @@ -24,7 +24,7 @@ */ #include sys/cdefs.h -__RCSID($NetBSD: ns_name.c,v 1.4 2013/03/27 00:38:08 christos Exp $); +__RCSID($NetBSD: ns_name.c,v 1.5 2014/03/07 01:04:29 christos Exp $); #ifndef lint static const char rcsid[] = Id: ns_name.c,v 1.2 2009/10/28 04:12:29 sar Exp ; @@ -344,11 +344,12 @@ MRns_name_unpack(const u_char *msg, cons } if (len 0) len = srcp - src + 1; - srcp = msg + (((n 0x3f) 8) | (*srcp 0xff)); - if (srcp msg || srcp = eom) { /* Out of range. */ + n = ((n 0x3f) 8) | (*srcp 0xff); + if (n = eom - msg) { / Out of range. */ errno = EMSGSIZE; return (-1); } + srcp = msg + n; checked += 2; /* * Check for loops in the compressed name;
CVS commit: src/external/bsd/dhcp/dist/common
Module Name:src Committed By: matt Date: Fri Mar 7 05:51:44 UTC 2014 Modified Files: src/external/bsd/dhcp/dist/common: ns_name.c Log Message: Fix (back into) comment To generate a diff of this commit: cvs rdiff -u -r1.5 -r1.6 src/external/bsd/dhcp/dist/common/ns_name.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/external/bsd/dhcp/dist/common/ns_name.c diff -u src/external/bsd/dhcp/dist/common/ns_name.c:1.5 src/external/bsd/dhcp/dist/common/ns_name.c:1.6 --- src/external/bsd/dhcp/dist/common/ns_name.c:1.5 Fri Mar 7 01:04:29 2014 +++ src/external/bsd/dhcp/dist/common/ns_name.c Fri Mar 7 05:51:44 2014 @@ -1,4 +1,4 @@ -/* $NetBSD: ns_name.c,v 1.5 2014/03/07 01:04:29 christos Exp $ */ +/* $NetBSD: ns_name.c,v 1.6 2014/03/07 05:51:44 matt Exp $ */ /* * Copyright (c) 2004,2009 by Internet Systems Consortium, Inc. (ISC) @@ -24,7 +24,7 @@ */ #include sys/cdefs.h -__RCSID($NetBSD: ns_name.c,v 1.5 2014/03/07 01:04:29 christos Exp $); +__RCSID($NetBSD: ns_name.c,v 1.6 2014/03/07 05:51:44 matt Exp $); #ifndef lint static const char rcsid[] = Id: ns_name.c,v 1.2 2009/10/28 04:12:29 sar Exp ; @@ -345,7 +345,7 @@ MRns_name_unpack(const u_char *msg, cons if (len 0) len = srcp - src + 1; n = ((n 0x3f) 8) | (*srcp 0xff); - if (n = eom - msg) { / Out of range. */ + if (n = eom - msg) { /* Out of range. */ errno = EMSGSIZE; return (-1); }
CVS commit: src/external/bsd/dhcp/dist/common
Module Name:src Committed By: christos Date: Fri Mar 7 01:04:30 UTC 2014 Modified Files: src/external/bsd/dhcp/dist/common: ns_name.c Log Message: fix incorrect overflow test: https://android-review.googlesource.com/#/c/50570/ To generate a diff of this commit: cvs rdiff -u -r1.4 -r1.5 src/external/bsd/dhcp/dist/common/ns_name.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: src/external/bsd/dhcp/dist/common
Module Name:src Committed By: matt Date: Fri Mar 7 05:51:44 UTC 2014 Modified Files: src/external/bsd/dhcp/dist/common: ns_name.c Log Message: Fix (back into) comment To generate a diff of this commit: cvs rdiff -u -r1.5 -r1.6 src/external/bsd/dhcp/dist/common/ns_name.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: src/external/bsd/dhcp/dist/common
Module Name:src Committed By: christos Date: Thu Dec 19 22:05:58 UTC 2013 Modified Files: src/external/bsd/dhcp/dist/common: alloc.c discover.c Log Message: more casts To generate a diff of this commit: cvs rdiff -u -r1.1.1.2 -r1.2 src/external/bsd/dhcp/dist/common/alloc.c cvs rdiff -u -r1.2 -r1.3 src/external/bsd/dhcp/dist/common/discover.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/external/bsd/dhcp/dist/common/alloc.c diff -u src/external/bsd/dhcp/dist/common/alloc.c:1.1.1.2 src/external/bsd/dhcp/dist/common/alloc.c:1.2 --- src/external/bsd/dhcp/dist/common/alloc.c:1.1.1.2 Sun Mar 24 18:50:29 2013 +++ src/external/bsd/dhcp/dist/common/alloc.c Thu Dec 19 17:05:58 2013 @@ -1,4 +1,4 @@ -/* $NetBSD: alloc.c,v 1.1.1.2 2013/03/24 22:50:29 christos Exp $ */ +/* $NetBSD: alloc.c,v 1.2 2013/12/19 22:05:58 christos Exp $ */ /* alloc.c @@ -36,7 +36,7 @@ */ #include sys/cdefs.h -__RCSID($NetBSD: alloc.c,v 1.1.1.2 2013/03/24 22:50:29 christos Exp $); +__RCSID($NetBSD: alloc.c,v 1.2 2013/12/19 22:05:58 christos Exp $); #include dhcpd.h #include omapip/omapip_p.h @@ -146,7 +146,7 @@ int option_chain_head_dereference (ptr, cdr = car - cdr; if (car - car) option_cache_dereference ((struct option_cache **) - (car - car), MDL); + (void *)(car - car), MDL); dfree (car, MDL); car = cdr; } Index: src/external/bsd/dhcp/dist/common/discover.c diff -u src/external/bsd/dhcp/dist/common/discover.c:1.2 src/external/bsd/dhcp/dist/common/discover.c:1.3 --- src/external/bsd/dhcp/dist/common/discover.c:1.2 Sun Mar 24 11:53:58 2013 +++ src/external/bsd/dhcp/dist/common/discover.c Thu Dec 19 17:05:58 2013 @@ -1,4 +1,4 @@ -/* $NetBSD: discover.c,v 1.2 2013/03/24 15:53:58 christos Exp $ */ +/* $NetBSD: discover.c,v 1.3 2013/12/19 22:05:58 christos Exp $ */ /* discover.c @@ -35,7 +35,7 @@ */ #include sys/cdefs.h -__RCSID($NetBSD: discover.c,v 1.2 2013/03/24 15:53:58 christos Exp $); +__RCSID($NetBSD: discover.c,v 1.3 2013/12/19 22:05:58 christos Exp $); #include dhcpd.h @@ -1580,7 +1580,7 @@ isc_result_t dhcp_interface_destroy (oma interface - client = (struct client_state *)0; if (interface - shared_network) - omapi_object_dereference ((omapi_object_t **) + omapi_object_dereference ((void *) interface - shared_network, MDL); return ISC_R_SUCCESS;
CVS commit: src/external/bsd/dhcp/dist/common
Module Name:src Committed By: christos Date: Thu Dec 19 22:05:58 UTC 2013 Modified Files: src/external/bsd/dhcp/dist/common: alloc.c discover.c Log Message: more casts To generate a diff of this commit: cvs rdiff -u -r1.1.1.2 -r1.2 src/external/bsd/dhcp/dist/common/alloc.c cvs rdiff -u -r1.2 -r1.3 src/external/bsd/dhcp/dist/common/discover.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: src/external/bsd/dhcp/dist/common
Module Name:src Committed By: christos Date: Mon Apr 8 02:16:03 UTC 2013 Modified Files: src/external/bsd/dhcp/dist/common: bpf.c Log Message: Use the active link local layer address instead of the first one you find. It would be nice if getifaddrs gave all the information needed instead of needed a separate ioctl. Or at least if the inactive addresses were marked down in flags? To generate a diff of this commit: cvs rdiff -u -r1.1.1.2 -r1.2 src/external/bsd/dhcp/dist/common/bpf.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/external/bsd/dhcp/dist/common/bpf.c diff -u src/external/bsd/dhcp/dist/common/bpf.c:1.1.1.2 src/external/bsd/dhcp/dist/common/bpf.c:1.2 --- src/external/bsd/dhcp/dist/common/bpf.c:1.1.1.2 Tue Mar 26 20:31:33 2013 +++ src/external/bsd/dhcp/dist/common/bpf.c Sun Apr 7 22:16:03 2013 @@ -1,4 +1,4 @@ -/* $NetBSD: bpf.c,v 1.1.1.2 2013/03/27 00:31:33 christos Exp $ */ +/* $NetBSD: bpf.c,v 1.2 2013/04/08 02:16:03 christos Exp $ */ /* bpf.c @@ -35,7 +35,7 @@ */ #include sys/cdefs.h -__RCSID($NetBSD: bpf.c,v 1.1.1.2 2013/03/27 00:31:33 christos Exp $); +__RCSID($NetBSD: bpf.c,v 1.2 2013/04/08 02:16:03 christos Exp $); #include dhcpd.h #if defined (USE_BPF_SEND) || defined (USE_BPF_RECEIVE) \ @@ -54,6 +54,7 @@ __RCSID($NetBSD: bpf.c,v 1.1.1.2 2013/0 # endif # endif +#include sys/param.h #include netinet/in_systm.h #include includes/netinet/ip.h #include includes/netinet/udp.h @@ -556,11 +557,50 @@ void maybe_setup_fallback () } } +static int +lladdr_active(int s, const char *name, const struct ifaddrs *ifa) +{ + if (ifa-ifa_addr-sa_family != AF_LINK) + return 0; + if (strcmp(ifa-ifa_name, name) != 0) + return 0; + +#ifdef SIOCGLIFADDR +{ + struct if_laddrreq iflr; + const struct sockaddr_dl *sdl; + + sdl = satocsdl(ifa-ifa_addr); + memset(iflr, 0, sizeof(iflr)); + + strlcpy(iflr.iflr_name, ifa-ifa_name, sizeof(iflr.iflr_name)); + memcpy(iflr.addr, ifa-ifa_addr, MIN(ifa-ifa_addr-sa_len, + sizeof(iflr.addr))); + iflr.flags = IFLR_PREFIX; + iflr.prefixlen = sdl-sdl_alen * NBBY; + + if (ioctl(s, SIOCGLIFADDR, iflr) == -1) { + log_fatal(ioctl(SIOCGLIFADDR): %m); + } + + if ((iflr.flags IFLR_ACTIVE) == 0) + return 0; +} +#endif + return 1; +} + + void get_hw_addr(const char *name, struct hardware *hw) { struct ifaddrs *ifa; struct ifaddrs *p; struct sockaddr_dl *sa; + int s; + + if ((s = socket(AF_LINK, SOCK_DGRAM, 0)) == -1) { + log_fatal(socket AF_LINK: %m); + } if (getifaddrs(ifa) != 0) { log_fatal(Error getting interface information; %m); @@ -570,15 +610,16 @@ get_hw_addr(const char *name, struct har * Loop through our interfaces finding a match. */ sa = NULL; - for (p=ifa; (p != NULL) (sa == NULL); p = p-ifa_next) { - if ((p-ifa_addr-sa_family == AF_LINK) - !strcmp(p-ifa_name, name)) { + for (p = ifa; p != NULL; p = p-ifa_next) { + if (lladdr_active(s, name, p)) { sa = (struct sockaddr_dl *)p-ifa_addr; + break; } } if (sa == NULL) { log_fatal(No interface called '%s', name); } + close(s); /* * Pull out the appropriate information.
CVS commit: src/external/bsd/dhcp/dist/common
Module Name:src Committed By: christos Date: Mon Apr 8 02:16:03 UTC 2013 Modified Files: src/external/bsd/dhcp/dist/common: bpf.c Log Message: Use the active link local layer address instead of the first one you find. It would be nice if getifaddrs gave all the information needed instead of needed a separate ioctl. Or at least if the inactive addresses were marked down in flags? To generate a diff of this commit: cvs rdiff -u -r1.1.1.2 -r1.2 src/external/bsd/dhcp/dist/common/bpf.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.