CVS commit: src/external/bsd/dhcp/dist/common
Module Name:src
Committed By: christos
Date: Fri Jan 8 23:09:41 UTC 2016
Modified Files:
src/external/bsd/dhcp/dist/common: packet.c
Log Message:
Check correctly the packet length (CVE-2015-8605)
XXX: pullup-6, pullup-7
To generate a diff of this commit:
cvs rdiff -u -r1.1.1.4 -r1.2 src/external/bsd/dhcp/dist/common/packet.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/external/bsd/dhcp/dist/common/packet.c
diff -u src/external/bsd/dhcp/dist/common/packet.c:1.1.1.4 src/external/bsd/dhcp/dist/common/packet.c:1.2
--- src/external/bsd/dhcp/dist/common/packet.c:1.1.1.4 Sat Jul 12 07:57:46 2014
+++ src/external/bsd/dhcp/dist/common/packet.c Fri Jan 8 18:09:41 2016
@@ -1,4 +1,4 @@
-/* $NetBSD: packet.c,v 1.1.1.4 2014/07/12 11:57:46 spz Exp $ */
+/* $NetBSD: packet.c,v 1.2 2016/01/08 23:09:41 christos Exp $ */
/* packet.c
Packet assembly code, originally contributed by Archie Cobbs. */
@@ -34,7 +34,7 @@
*/
#include
-__RCSID("$NetBSD: packet.c,v 1.1.1.4 2014/07/12 11:57:46 spz Exp $");
+__RCSID("$NetBSD: packet.c,v 1.2 2016/01/08 23:09:41 christos Exp $");
#include "dhcpd.h"
@@ -224,7 +224,28 @@ ssize_t decode_hw_header (interface, buf
}
}
-/* UDP header and IP header decoded together for convenience. */
+/*!
+ *
+ * \brief UDP header and IP header decoded together for convenience.
+ *
+ * Attempt to decode the UDP and IP headers and, if necessary, checksum
+ * the packet.
+ *
+ * \param inteface - the interface on which the packet was recevied
+ * \param buf - a pointer to the buffer for the received packet
+ * \param bufix - where to start processing the buffer, previous
+ *routines may have processed parts of the buffer already
+ * \param from - space to return the address of the packet sender
+ * \param buflen - remaining length of the buffer, this will have been
+ * decremented by bufix by the caller
+ * \param rbuflen - space to return the length of the payload from the udp
+ * header
+ * \param csum_ready - indication if the checksum is valid for use
+ * non-zero indicates the checksum should be validated
+ *
+ * \return - the index to the first byte of the udp payload (that is the
+ * start of the DHCP packet
+ */
ssize_t
decode_udp_ip_header(struct interface_info *interface,
@@ -235,7 +256,7 @@ decode_udp_ip_header(struct interface_in
unsigned char *data;
struct ip ip;
struct udphdr udp;
- unsigned char *upp, *endbuf;
+ unsigned char *upp;
u_int32_t ip_len, ulen, pkt_len;
u_int32_t sum, usum;
static int ip_packets_seen;
@@ -246,11 +267,8 @@ decode_udp_ip_header(struct interface_in
static int udp_packets_length_overflow;
unsigned len;
- /* Designate the end of the input buffer for bounds checks. */
- endbuf = buf + bufix + buflen;
-
/* Assure there is at least an IP header there. */
- if ((buf + bufix + sizeof(ip)) > endbuf)
+ if (sizeof(ip) > buflen)
return -1;
/* Copy the IP header into a stack aligned structure for inspection.
@@ -262,13 +280,17 @@ decode_udp_ip_header(struct interface_in
ip_len = (*upp & 0x0f) << 2;
upp += ip_len;
- /* Check the IP packet length. */
+ /* Check packet lengths are within the buffer:
+ * first the ip header (ip_len)
+ * then the packet length from the ip header (pkt_len)
+ * then the udp header (ip_len + sizeof(udp)
+ * We are liberal in what we accept, the udp payload should fit within
+ * pkt_len, but we only check against the full buffer size.
+ */
pkt_len = ntohs(ip.ip_len);
- if (pkt_len > buflen)
- return -1;
-
- /* Assure after ip_len bytes that there is enough room for a UDP header. */
- if ((upp + sizeof(udp)) > endbuf)
+ if ((ip_len > buflen) ||
+ (pkt_len > buflen) ||
+ ((ip_len + sizeof(udp)) > buflen))
return -1;
/* Copy the UDP header into a stack aligned structure for inspection. */
@@ -289,7 +311,8 @@ decode_udp_ip_header(struct interface_in
return -1;
udp_packets_length_checked++;
- if ((upp + ulen) > endbuf) {
+ /* verify that the payload length from the udp packet fits in the buffer */
+ if ((ip_len + ulen) > buflen) {
udp_packets_length_overflow++;
if ((udp_packets_length_checked > 4) &&
((udp_packets_length_checked /
@@ -303,9 +326,6 @@ decode_udp_ip_header(struct interface_in
return -1;
}
- if ((ulen < sizeof(udp)) || ((upp + ulen) > endbuf))
- return -1;
-
/* Check the IP header checksum - it should be zero. */
++ip_packets_seen;
if (wrapsum (checksum (buf + bufix, ip_len, 0))) {
CVS commit: src/external/bsd/dhcp/dist/common
Module Name:src Committed By: christos Date: Fri Jan 8 23:09:41 UTC 2016 Modified Files: src/external/bsd/dhcp/dist/common: packet.c Log Message: Check correctly the packet length (CVE-2015-8605) XXX: pullup-6, pullup-7 To generate a diff of this commit: cvs rdiff -u -r1.1.1.4 -r1.2 src/external/bsd/dhcp/dist/common/packet.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
Re: CVS commit: src/external/bsd/dhcp/dist/common
Hi,
2014-03-07 10:04 GMT+09:00 Christos Zoulas chris...@netbsd.org:
Module Name:src
Committed By: christos
Date: Fri Mar 7 01:04:30 UTC 2014
Modified Files:
src/external/bsd/dhcp/dist/common: ns_name.c
Log Message:
fix incorrect overflow test:
https://android-review.googlesource.com/#/c/50570/
compile failed.
-
/usr/src/external/bsd/dhcp/lib/common/../../dist/common/ns_name.c: In function '
MRns_name_unpack':
/usr/src/external/bsd/dhcp/lib/common/../../dist/common/ns_name.c:348:27: error:
expected expression before '/' token
if (n = eom - msg) { / Out of range. */
^
*** [ns_name.o] Error code 1
-
Regards,
--
NONAKA Kimihiro
CVS commit: src/external/bsd/dhcp/dist/common
Module Name:src
Committed By: christos
Date: Fri Mar 7 01:04:30 UTC 2014
Modified Files:
src/external/bsd/dhcp/dist/common: ns_name.c
Log Message:
fix incorrect overflow test: https://android-review.googlesource.com/#/c/50570/
To generate a diff of this commit:
cvs rdiff -u -r1.4 -r1.5 src/external/bsd/dhcp/dist/common/ns_name.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/external/bsd/dhcp/dist/common/ns_name.c
diff -u src/external/bsd/dhcp/dist/common/ns_name.c:1.4 src/external/bsd/dhcp/dist/common/ns_name.c:1.5
--- src/external/bsd/dhcp/dist/common/ns_name.c:1.4 Tue Mar 26 20:38:08 2013
+++ src/external/bsd/dhcp/dist/common/ns_name.c Thu Mar 6 20:04:29 2014
@@ -1,4 +1,4 @@
-/* $NetBSD: ns_name.c,v 1.4 2013/03/27 00:38:08 christos Exp $ */
+/* $NetBSD: ns_name.c,v 1.5 2014/03/07 01:04:29 christos Exp $ */
/*
* Copyright (c) 2004,2009 by Internet Systems Consortium, Inc. (ISC)
@@ -24,7 +24,7 @@
*/
#include sys/cdefs.h
-__RCSID($NetBSD: ns_name.c,v 1.4 2013/03/27 00:38:08 christos Exp $);
+__RCSID($NetBSD: ns_name.c,v 1.5 2014/03/07 01:04:29 christos Exp $);
#ifndef lint
static const char rcsid[] = Id: ns_name.c,v 1.2 2009/10/28 04:12:29 sar Exp ;
@@ -344,11 +344,12 @@ MRns_name_unpack(const u_char *msg, cons
}
if (len 0)
len = srcp - src + 1;
- srcp = msg + (((n 0x3f) 8) | (*srcp 0xff));
- if (srcp msg || srcp = eom) { /* Out of range. */
+ n = ((n 0x3f) 8) | (*srcp 0xff);
+ if (n = eom - msg) { / Out of range. */
errno = EMSGSIZE;
return (-1);
}
+ srcp = msg + n;
checked += 2;
/*
* Check for loops in the compressed name;
CVS commit: src/external/bsd/dhcp/dist/common
Module Name:src
Committed By: matt
Date: Fri Mar 7 05:51:44 UTC 2014
Modified Files:
src/external/bsd/dhcp/dist/common: ns_name.c
Log Message:
Fix (back into) comment
To generate a diff of this commit:
cvs rdiff -u -r1.5 -r1.6 src/external/bsd/dhcp/dist/common/ns_name.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/external/bsd/dhcp/dist/common/ns_name.c
diff -u src/external/bsd/dhcp/dist/common/ns_name.c:1.5 src/external/bsd/dhcp/dist/common/ns_name.c:1.6
--- src/external/bsd/dhcp/dist/common/ns_name.c:1.5 Fri Mar 7 01:04:29 2014
+++ src/external/bsd/dhcp/dist/common/ns_name.c Fri Mar 7 05:51:44 2014
@@ -1,4 +1,4 @@
-/* $NetBSD: ns_name.c,v 1.5 2014/03/07 01:04:29 christos Exp $ */
+/* $NetBSD: ns_name.c,v 1.6 2014/03/07 05:51:44 matt Exp $ */
/*
* Copyright (c) 2004,2009 by Internet Systems Consortium, Inc. (ISC)
@@ -24,7 +24,7 @@
*/
#include sys/cdefs.h
-__RCSID($NetBSD: ns_name.c,v 1.5 2014/03/07 01:04:29 christos Exp $);
+__RCSID($NetBSD: ns_name.c,v 1.6 2014/03/07 05:51:44 matt Exp $);
#ifndef lint
static const char rcsid[] = Id: ns_name.c,v 1.2 2009/10/28 04:12:29 sar Exp ;
@@ -345,7 +345,7 @@ MRns_name_unpack(const u_char *msg, cons
if (len 0)
len = srcp - src + 1;
n = ((n 0x3f) 8) | (*srcp 0xff);
- if (n = eom - msg) { / Out of range. */
+ if (n = eom - msg) { /* Out of range. */
errno = EMSGSIZE;
return (-1);
}
CVS commit: src/external/bsd/dhcp/dist/common
Module Name:src Committed By: christos Date: Fri Mar 7 01:04:30 UTC 2014 Modified Files: src/external/bsd/dhcp/dist/common: ns_name.c Log Message: fix incorrect overflow test: https://android-review.googlesource.com/#/c/50570/ To generate a diff of this commit: cvs rdiff -u -r1.4 -r1.5 src/external/bsd/dhcp/dist/common/ns_name.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: src/external/bsd/dhcp/dist/common
Module Name:src Committed By: matt Date: Fri Mar 7 05:51:44 UTC 2014 Modified Files: src/external/bsd/dhcp/dist/common: ns_name.c Log Message: Fix (back into) comment To generate a diff of this commit: cvs rdiff -u -r1.5 -r1.6 src/external/bsd/dhcp/dist/common/ns_name.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: src/external/bsd/dhcp/dist/common
Module Name:src Committed By: christos Date: Thu Dec 19 22:05:58 UTC 2013 Modified Files: src/external/bsd/dhcp/dist/common: alloc.c discover.c Log Message: more casts To generate a diff of this commit: cvs rdiff -u -r1.1.1.2 -r1.2 src/external/bsd/dhcp/dist/common/alloc.c cvs rdiff -u -r1.2 -r1.3 src/external/bsd/dhcp/dist/common/discover.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/external/bsd/dhcp/dist/common/alloc.c diff -u src/external/bsd/dhcp/dist/common/alloc.c:1.1.1.2 src/external/bsd/dhcp/dist/common/alloc.c:1.2 --- src/external/bsd/dhcp/dist/common/alloc.c:1.1.1.2 Sun Mar 24 18:50:29 2013 +++ src/external/bsd/dhcp/dist/common/alloc.c Thu Dec 19 17:05:58 2013 @@ -1,4 +1,4 @@ -/* $NetBSD: alloc.c,v 1.1.1.2 2013/03/24 22:50:29 christos Exp $ */ +/* $NetBSD: alloc.c,v 1.2 2013/12/19 22:05:58 christos Exp $ */ /* alloc.c @@ -36,7 +36,7 @@ */ #include sys/cdefs.h -__RCSID($NetBSD: alloc.c,v 1.1.1.2 2013/03/24 22:50:29 christos Exp $); +__RCSID($NetBSD: alloc.c,v 1.2 2013/12/19 22:05:58 christos Exp $); #include dhcpd.h #include omapip/omapip_p.h @@ -146,7 +146,7 @@ int option_chain_head_dereference (ptr, cdr = car - cdr; if (car - car) option_cache_dereference ((struct option_cache **) - (car - car), MDL); + (void *)(car - car), MDL); dfree (car, MDL); car = cdr; } Index: src/external/bsd/dhcp/dist/common/discover.c diff -u src/external/bsd/dhcp/dist/common/discover.c:1.2 src/external/bsd/dhcp/dist/common/discover.c:1.3 --- src/external/bsd/dhcp/dist/common/discover.c:1.2 Sun Mar 24 11:53:58 2013 +++ src/external/bsd/dhcp/dist/common/discover.c Thu Dec 19 17:05:58 2013 @@ -1,4 +1,4 @@ -/* $NetBSD: discover.c,v 1.2 2013/03/24 15:53:58 christos Exp $ */ +/* $NetBSD: discover.c,v 1.3 2013/12/19 22:05:58 christos Exp $ */ /* discover.c @@ -35,7 +35,7 @@ */ #include sys/cdefs.h -__RCSID($NetBSD: discover.c,v 1.2 2013/03/24 15:53:58 christos Exp $); +__RCSID($NetBSD: discover.c,v 1.3 2013/12/19 22:05:58 christos Exp $); #include dhcpd.h @@ -1580,7 +1580,7 @@ isc_result_t dhcp_interface_destroy (oma interface - client = (struct client_state *)0; if (interface - shared_network) - omapi_object_dereference ((omapi_object_t **) + omapi_object_dereference ((void *) interface - shared_network, MDL); return ISC_R_SUCCESS;
CVS commit: src/external/bsd/dhcp/dist/common
Module Name:src Committed By: christos Date: Thu Dec 19 22:05:58 UTC 2013 Modified Files: src/external/bsd/dhcp/dist/common: alloc.c discover.c Log Message: more casts To generate a diff of this commit: cvs rdiff -u -r1.1.1.2 -r1.2 src/external/bsd/dhcp/dist/common/alloc.c cvs rdiff -u -r1.2 -r1.3 src/external/bsd/dhcp/dist/common/discover.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: src/external/bsd/dhcp/dist/common
Module Name:src
Committed By: christos
Date: Mon Apr 8 02:16:03 UTC 2013
Modified Files:
src/external/bsd/dhcp/dist/common: bpf.c
Log Message:
Use the active link local layer address instead of the first one you find.
It would be nice if getifaddrs gave all the information needed instead of
needed a separate ioctl. Or at least if the inactive addresses were marked
down in flags?
To generate a diff of this commit:
cvs rdiff -u -r1.1.1.2 -r1.2 src/external/bsd/dhcp/dist/common/bpf.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/external/bsd/dhcp/dist/common/bpf.c
diff -u src/external/bsd/dhcp/dist/common/bpf.c:1.1.1.2 src/external/bsd/dhcp/dist/common/bpf.c:1.2
--- src/external/bsd/dhcp/dist/common/bpf.c:1.1.1.2 Tue Mar 26 20:31:33 2013
+++ src/external/bsd/dhcp/dist/common/bpf.c Sun Apr 7 22:16:03 2013
@@ -1,4 +1,4 @@
-/* $NetBSD: bpf.c,v 1.1.1.2 2013/03/27 00:31:33 christos Exp $ */
+/* $NetBSD: bpf.c,v 1.2 2013/04/08 02:16:03 christos Exp $ */
/* bpf.c
@@ -35,7 +35,7 @@
*/
#include sys/cdefs.h
-__RCSID($NetBSD: bpf.c,v 1.1.1.2 2013/03/27 00:31:33 christos Exp $);
+__RCSID($NetBSD: bpf.c,v 1.2 2013/04/08 02:16:03 christos Exp $);
#include dhcpd.h
#if defined (USE_BPF_SEND) || defined (USE_BPF_RECEIVE) \
@@ -54,6 +54,7 @@ __RCSID($NetBSD: bpf.c,v 1.1.1.2 2013/0
# endif
# endif
+#include sys/param.h
#include netinet/in_systm.h
#include includes/netinet/ip.h
#include includes/netinet/udp.h
@@ -556,11 +557,50 @@ void maybe_setup_fallback ()
}
}
+static int
+lladdr_active(int s, const char *name, const struct ifaddrs *ifa)
+{
+ if (ifa-ifa_addr-sa_family != AF_LINK)
+ return 0;
+ if (strcmp(ifa-ifa_name, name) != 0)
+ return 0;
+
+#ifdef SIOCGLIFADDR
+{
+ struct if_laddrreq iflr;
+ const struct sockaddr_dl *sdl;
+
+ sdl = satocsdl(ifa-ifa_addr);
+ memset(iflr, 0, sizeof(iflr));
+
+ strlcpy(iflr.iflr_name, ifa-ifa_name, sizeof(iflr.iflr_name));
+ memcpy(iflr.addr, ifa-ifa_addr, MIN(ifa-ifa_addr-sa_len,
+ sizeof(iflr.addr)));
+ iflr.flags = IFLR_PREFIX;
+ iflr.prefixlen = sdl-sdl_alen * NBBY;
+
+ if (ioctl(s, SIOCGLIFADDR, iflr) == -1) {
+ log_fatal(ioctl(SIOCGLIFADDR): %m);
+ }
+
+ if ((iflr.flags IFLR_ACTIVE) == 0)
+ return 0;
+}
+#endif
+ return 1;
+}
+
+
void
get_hw_addr(const char *name, struct hardware *hw) {
struct ifaddrs *ifa;
struct ifaddrs *p;
struct sockaddr_dl *sa;
+ int s;
+
+ if ((s = socket(AF_LINK, SOCK_DGRAM, 0)) == -1) {
+ log_fatal(socket AF_LINK: %m);
+ }
if (getifaddrs(ifa) != 0) {
log_fatal(Error getting interface information; %m);
@@ -570,15 +610,16 @@ get_hw_addr(const char *name, struct har
* Loop through our interfaces finding a match.
*/
sa = NULL;
- for (p=ifa; (p != NULL) (sa == NULL); p = p-ifa_next) {
- if ((p-ifa_addr-sa_family == AF_LINK)
- !strcmp(p-ifa_name, name)) {
+ for (p = ifa; p != NULL; p = p-ifa_next) {
+ if (lladdr_active(s, name, p)) {
sa = (struct sockaddr_dl *)p-ifa_addr;
+ break;
}
}
if (sa == NULL) {
log_fatal(No interface called '%s', name);
}
+ close(s);
/*
* Pull out the appropriate information.
CVS commit: src/external/bsd/dhcp/dist/common
Module Name:src Committed By: christos Date: Mon Apr 8 02:16:03 UTC 2013 Modified Files: src/external/bsd/dhcp/dist/common: bpf.c Log Message: Use the active link local layer address instead of the first one you find. It would be nice if getifaddrs gave all the information needed instead of needed a separate ioctl. Or at least if the inactive addresses were marked down in flags? To generate a diff of this commit: cvs rdiff -u -r1.1.1.2 -r1.2 src/external/bsd/dhcp/dist/common/bpf.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
