dist

Martin Husemann Fri, 26 Apr 2019 12:47:56 -0700

Module Name:    src
Committed By:   martin
Date:           Fri Apr 26 19:47:23 UTC 2019


Modified Files:
        src/external/bsd/dhcpcd/dist [netbsd-7]: configure
        src/external/bsd/dhcpcd/dist/src [netbsd-7]: auth.c dhcp.c dhcp6.c
Added Files:
        src/external/bsd/dhcpcd/dist/compat [netbsd-7]: consttime_memequal.h

Log Message:
Apply patch, requested by roy in ticket #1690:

        external/bsd/dhcpcd/dist/configure
        external/bsd/dhcpcd/dist/src/auth.c
        external/bsd/dhcpcd/dist/src/dhcp.c
        external/bsd/dhcpcd/dist/src/dhcp6.c
        external/bsd/dhcpcd/dist/compat/consttime_memequal.h

Security fixes for dhcpcd:
Fix a potential buffer overflow reading NA/TA addresses.
Fix a potential 1 byte read overflow with DHO_OPTSOVERLOADED.
Use consttime_memequal(3) to compare hashes.


To generate a diff of this commit:
cvs rdiff -u -r1.1.1.8.2.2 -r1.1.1.8.2.3 \
    src/external/bsd/dhcpcd/dist/configure
cvs rdiff -u -r0 -r1.1.1.1.4.2 \
    src/external/bsd/dhcpcd/dist/compat/consttime_memequal.h
cvs rdiff -u -r1.1.1.5.4.2 -r1.1.1.5.4.3 \
    src/external/bsd/dhcpcd/dist/src/auth.c
cvs rdiff -u -r1.11.4.3 -r1.11.4.4 src/external/bsd/dhcpcd/dist/src/dhcp.c
cvs rdiff -u -r1.1.1.12.4.3 -r1.1.1.12.4.4 \
    src/external/bsd/dhcpcd/dist/src/dhcp6.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/external/bsd/dhcpcd/dist/configure
diff -u src/external/bsd/dhcpcd/dist/configure:1.1.1.8.2.2 src/external/bsd/dhcpcd/dist/configure:1.1.1.8.2.3
--- src/external/bsd/dhcpcd/dist/configure:1.1.1.8.2.2	Fri Jul 27 10:43:19 2018
+++ src/external/bsd/dhcpcd/dist/configure	Fri Apr 26 19:47:23 2019
@@ -13,6 +13,7 @@ IPV4LL=
 INET6=
 ARC4RANDOM=
 CLOSEFROM=
+CONSTTIME_MEMEQUAL=
 STRLCPY=
 UDEV=
 OS=
@@ -845,6 +846,27 @@ if [ "$STRTOI" = no ]; then
 	echo "#include			\"compat/strtoi.h\"" >>$CONFIG_H
 fi
 
+if [ -z "$CONSTTIME_MEMEQUAL" ]; then
+	printf "Testing for consttime_memequal ... "
+	cat <<EOF >_consttime_memequal.c
+#include <string.h>
+int main(void) {
+	return consttime_memequal("deadbeef", "deadbeef", 8);
+}
+EOF
+	if $XCC _consttime_memequal.c -o _consttime_memequal 2>&3; then
+		CONSTTIME_MEMEQUAL=yes
+	else
+		CONSTTIME_MEMEQUAL=no
+	fi
+	echo "$CONSTTIME_MEMEQUAL"
+	rm -f _consttime_memequal.c _consttime_memequal
+fi
+if [ "$CONSTTIME_MEMEQUAL" = no ]; then
+	echo "#include			\"compat/consttime_memequal.h\"" \
+	    >>$CONFIG_H
+fi
+
 if [ -z "$DPRINTF" ]; then
 	printf "Testing for dprintf ... "
 	cat <<EOF >_dprintf.c

Index: src/external/bsd/dhcpcd/dist/src/auth.c
diff -u src/external/bsd/dhcpcd/dist/src/auth.c:1.1.1.5.4.2 src/external/bsd/dhcpcd/dist/src/auth.c:1.1.1.5.4.3
--- src/external/bsd/dhcpcd/dist/src/auth.c:1.1.1.5.4.2	Fri Jul 27 10:43:20 2018
+++ src/external/bsd/dhcpcd/dist/src/auth.c	Fri Apr 26 19:47:23 2019
@@ -354,7 +354,7 @@ gottoken:
 	}
 
 	free(mm);
-	if (memcmp(d, &hmac_code, dlen)) {
+	if (!consttime_memequal(d, &hmac_code, dlen)) {
 		errno = EPERM;
 		return NULL;
 	}

Index: src/external/bsd/dhcpcd/dist/src/dhcp.c
diff -u src/external/bsd/dhcpcd/dist/src/dhcp.c:1.11.4.3 src/external/bsd/dhcpcd/dist/src/dhcp.c:1.11.4.4
--- src/external/bsd/dhcpcd/dist/src/dhcp.c:1.11.4.3	Sat Aug 25 15:03:00 2018
+++ src/external/bsd/dhcpcd/dist/src/dhcp.c	Fri Apr 26 19:47:23 2019
@@ -212,6 +212,12 @@ get_option(struct dhcpcd_ctx *ctx,
 		}
 		l = *p++;
 
+		/* Check we can read the option data, if present */
+		if (p + l > e) {
+			errno = EINVAL;
+			return NULL;
+		}
+
 		if (o == DHO_OPTSOVERLOADED) {
 			/* Ensure we only get this option once by setting
 			 * the last bit as well as the value.
@@ -246,10 +252,6 @@ get_option(struct dhcpcd_ctx *ctx,
 				bp += ol;
 			}
 			ol = l;
-			if (p + ol >= e) {
-				errno = EINVAL;
-				return NULL;
-			}
 			op = p;
 			bl += ol;
 		}

Index: src/external/bsd/dhcpcd/dist/src/dhcp6.c
diff -u src/external/bsd/dhcpcd/dist/src/dhcp6.c:1.1.1.12.4.3 src/external/bsd/dhcpcd/dist/src/dhcp6.c:1.1.1.12.4.4
--- src/external/bsd/dhcpcd/dist/src/dhcp6.c:1.1.1.12.4.3	Sat Aug 25 15:03:00 2018
+++ src/external/bsd/dhcpcd/dist/src/dhcp6.c	Fri Apr 26 19:47:23 2019
@@ -2015,12 +2015,12 @@ dhcp6_findna(struct interface *ifp, uint
 		nd = o + ol;
 		l -= (size_t)(nd - d);
 		d = nd;
-		if (ol < 24) {
+		if (ol < sizeof(ia)) {
 			errno = EINVAL;
 			logerrx("%s: IA Address option truncated", ifp->name);
 			continue;
 		}
-		memcpy(&ia, o, ol);
+		memcpy(&ia, o, sizeof(ia));
 		ia.pltime = ntohl(ia.pltime);
 		ia.vltime = ntohl(ia.vltime);
 		/* RFC 3315 22.6 */

Added files:

Index: src/external/bsd/dhcpcd/dist/compat/consttime_memequal.h
diff -u /dev/null src/external/bsd/dhcpcd/dist/compat/consttime_memequal.h:1.1.1.1.4.2
--- /dev/null	Fri Apr 26 19:47:23 2019
+++ src/external/bsd/dhcpcd/dist/compat/consttime_memequal.h	Fri Apr 26 19:47:23 2019
@@ -0,0 +1,28 @@
+/*
+ * Written by Matthias Drochner <droch...@netbsd.org>.
+ * Public domain.
+ */
+
+#ifndef CONSTTIME_MEMEQUAL_H
+#define CONSTTIME_MEMEQUAL_H
+inline static int
+consttime_memequal(const void *b1, const void *b2, size_t len)
+{
+	const unsigned char *c1 = b1, *c2 = b2;
+	unsigned int res = 0;
+
+	while (len--)
+		res |= *c1++ ^ *c2++;
+
+	/*
+	 * Map 0 to 1 and [1, 256) to 0 using only constant-time
+	 * arithmetic.
+	 *
+	 * This is not simply `!res' because although many CPUs support
+	 * branchless conditional moves and many compilers will take
+	 * advantage of them, certain compilers generate branches on
+	 * certain CPUs for `!res'.
+	 */
+	return (1 & ((res - 1) >> 8));
+}
+#endif /* CONSTTIME_MEMEQUAL_H */

CVS commit: [netbsd-7] src/external/bsd/dhcpcd/dist

Reply via email to