Module Name: src Committed By: martin Date: Fri Apr 26 19:47:23 UTC 2019
Modified Files: src/external/bsd/dhcpcd/dist [netbsd-7]: configure src/external/bsd/dhcpcd/dist/src [netbsd-7]: auth.c dhcp.c dhcp6.c Added Files: src/external/bsd/dhcpcd/dist/compat [netbsd-7]: consttime_memequal.h Log Message: Apply patch, requested by roy in ticket #1690: external/bsd/dhcpcd/dist/configure external/bsd/dhcpcd/dist/src/auth.c external/bsd/dhcpcd/dist/src/dhcp.c external/bsd/dhcpcd/dist/src/dhcp6.c external/bsd/dhcpcd/dist/compat/consttime_memequal.h Security fixes for dhcpcd: Fix a potential buffer overflow reading NA/TA addresses. Fix a potential 1 byte read overflow with DHO_OPTSOVERLOADED. Use consttime_memequal(3) to compare hashes. To generate a diff of this commit: cvs rdiff -u -r1.1.1.8.2.2 -r1.1.1.8.2.3 \ src/external/bsd/dhcpcd/dist/configure cvs rdiff -u -r0 -r1.1.1.1.4.2 \ src/external/bsd/dhcpcd/dist/compat/consttime_memequal.h cvs rdiff -u -r1.1.1.5.4.2 -r1.1.1.5.4.3 \ src/external/bsd/dhcpcd/dist/src/auth.c cvs rdiff -u -r1.11.4.3 -r1.11.4.4 src/external/bsd/dhcpcd/dist/src/dhcp.c cvs rdiff -u -r1.1.1.12.4.3 -r1.1.1.12.4.4 \ src/external/bsd/dhcpcd/dist/src/dhcp6.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
Modified files: Index: src/external/bsd/dhcpcd/dist/configure diff -u src/external/bsd/dhcpcd/dist/configure:1.1.1.8.2.2 src/external/bsd/dhcpcd/dist/configure:1.1.1.8.2.3 --- src/external/bsd/dhcpcd/dist/configure:1.1.1.8.2.2 Fri Jul 27 10:43:19 2018 +++ src/external/bsd/dhcpcd/dist/configure Fri Apr 26 19:47:23 2019 @@ -13,6 +13,7 @@ IPV4LL= INET6= ARC4RANDOM= CLOSEFROM= +CONSTTIME_MEMEQUAL= STRLCPY= UDEV= OS= @@ -845,6 +846,27 @@ if [ "$STRTOI" = no ]; then echo "#include \"compat/strtoi.h\"" >>$CONFIG_H fi +if [ -z "$CONSTTIME_MEMEQUAL" ]; then + printf "Testing for consttime_memequal ... " + cat <<EOF >_consttime_memequal.c +#include <string.h> +int main(void) { + return consttime_memequal("deadbeef", "deadbeef", 8); +} +EOF + if $XCC _consttime_memequal.c -o _consttime_memequal 2>&3; then + CONSTTIME_MEMEQUAL=yes + else + CONSTTIME_MEMEQUAL=no + fi + echo "$CONSTTIME_MEMEQUAL" + rm -f _consttime_memequal.c _consttime_memequal +fi +if [ "$CONSTTIME_MEMEQUAL" = no ]; then + echo "#include \"compat/consttime_memequal.h\"" \ + >>$CONFIG_H +fi + if [ -z "$DPRINTF" ]; then printf "Testing for dprintf ... " cat <<EOF >_dprintf.c Index: src/external/bsd/dhcpcd/dist/src/auth.c diff -u src/external/bsd/dhcpcd/dist/src/auth.c:1.1.1.5.4.2 src/external/bsd/dhcpcd/dist/src/auth.c:1.1.1.5.4.3 --- src/external/bsd/dhcpcd/dist/src/auth.c:1.1.1.5.4.2 Fri Jul 27 10:43:20 2018 +++ src/external/bsd/dhcpcd/dist/src/auth.c Fri Apr 26 19:47:23 2019 @@ -354,7 +354,7 @@ gottoken: } free(mm); - if (memcmp(d, &hmac_code, dlen)) { + if (!consttime_memequal(d, &hmac_code, dlen)) { errno = EPERM; return NULL; } Index: src/external/bsd/dhcpcd/dist/src/dhcp.c diff -u src/external/bsd/dhcpcd/dist/src/dhcp.c:1.11.4.3 src/external/bsd/dhcpcd/dist/src/dhcp.c:1.11.4.4 --- src/external/bsd/dhcpcd/dist/src/dhcp.c:1.11.4.3 Sat Aug 25 15:03:00 2018 +++ src/external/bsd/dhcpcd/dist/src/dhcp.c Fri Apr 26 19:47:23 2019 @@ -212,6 +212,12 @@ get_option(struct dhcpcd_ctx *ctx, } l = *p++; + /* Check we can read the option data, if present */ + if (p + l > e) { + errno = EINVAL; + return NULL; + } + if (o == DHO_OPTSOVERLOADED) { /* Ensure we only get this option once by setting * the last bit as well as the value. @@ -246,10 +252,6 @@ get_option(struct dhcpcd_ctx *ctx, bp += ol; } ol = l; - if (p + ol >= e) { - errno = EINVAL; - return NULL; - } op = p; bl += ol; } Index: src/external/bsd/dhcpcd/dist/src/dhcp6.c diff -u src/external/bsd/dhcpcd/dist/src/dhcp6.c:1.1.1.12.4.3 src/external/bsd/dhcpcd/dist/src/dhcp6.c:1.1.1.12.4.4 --- src/external/bsd/dhcpcd/dist/src/dhcp6.c:1.1.1.12.4.3 Sat Aug 25 15:03:00 2018 +++ src/external/bsd/dhcpcd/dist/src/dhcp6.c Fri Apr 26 19:47:23 2019 @@ -2015,12 +2015,12 @@ dhcp6_findna(struct interface *ifp, uint nd = o + ol; l -= (size_t)(nd - d); d = nd; - if (ol < 24) { + if (ol < sizeof(ia)) { errno = EINVAL; logerrx("%s: IA Address option truncated", ifp->name); continue; } - memcpy(&ia, o, ol); + memcpy(&ia, o, sizeof(ia)); ia.pltime = ntohl(ia.pltime); ia.vltime = ntohl(ia.vltime); /* RFC 3315 22.6 */ Added files: Index: src/external/bsd/dhcpcd/dist/compat/consttime_memequal.h diff -u /dev/null src/external/bsd/dhcpcd/dist/compat/consttime_memequal.h:1.1.1.1.4.2 --- /dev/null Fri Apr 26 19:47:23 2019 +++ src/external/bsd/dhcpcd/dist/compat/consttime_memequal.h Fri Apr 26 19:47:23 2019 @@ -0,0 +1,28 @@ +/* + * Written by Matthias Drochner <droch...@netbsd.org>. + * Public domain. + */ + +#ifndef CONSTTIME_MEMEQUAL_H +#define CONSTTIME_MEMEQUAL_H +inline static int +consttime_memequal(const void *b1, const void *b2, size_t len) +{ + const unsigned char *c1 = b1, *c2 = b2; + unsigned int res = 0; + + while (len--) + res |= *c1++ ^ *c2++; + + /* + * Map 0 to 1 and [1, 256) to 0 using only constant-time + * arithmetic. + * + * This is not simply `!res' because although many CPUs support + * branchless conditional moves and many compilers will take + * advantage of them, certain compilers generate branches on + * certain CPUs for `!res'. + */ + return (1 & ((res - 1) >> 8)); +} +#endif /* CONSTTIME_MEMEQUAL_H */