CVS commit: [netbsd-7] src/external/bsd/dhcpcd/dist

2019-04-26 Thread Martin Husemann 
Module Name:src
Committed By:   martin
Date:   Fri Apr 26 19:47:23 UTC 2019

Modified Files:
src/external/bsd/dhcpcd/dist [netbsd-7]: configure
src/external/bsd/dhcpcd/dist/src [netbsd-7]: auth.c dhcp.c dhcp6.c
Added Files:
src/external/bsd/dhcpcd/dist/compat [netbsd-7]: consttime_memequal.h

Log Message:
Apply patch, requested by roy in ticket #1690:

external/bsd/dhcpcd/dist/configure
external/bsd/dhcpcd/dist/src/auth.c
external/bsd/dhcpcd/dist/src/dhcp.c
external/bsd/dhcpcd/dist/src/dhcp6.c
external/bsd/dhcpcd/dist/compat/consttime_memequal.h

Security fixes for dhcpcd:
Fix a potential buffer overflow reading NA/TA addresses.
Fix a potential 1 byte read overflow with DHO_OPTSOVERLOADED.
Use consttime_memequal(3) to compare hashes.


To generate a diff of this commit:
cvs rdiff -u -r1.1.1.8.2.2 -r1.1.1.8.2.3 \
src/external/bsd/dhcpcd/dist/configure
cvs rdiff -u -r0 -r1.1.1.1.4.2 \
src/external/bsd/dhcpcd/dist/compat/consttime_memequal.h
cvs rdiff -u -r1.1.1.5.4.2 -r1.1.1.5.4.3 \
src/external/bsd/dhcpcd/dist/src/auth.c
cvs rdiff -u -r1.11.4.3 -r1.11.4.4 src/external/bsd/dhcpcd/dist/src/dhcp.c
cvs rdiff -u -r1.1.1.12.4.3 -r1.1.1.12.4.4 \
src/external/bsd/dhcpcd/dist/src/dhcp6.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/external/bsd/dhcpcd/dist/configure
diff -u src/external/bsd/dhcpcd/dist/configure:1.1.1.8.2.2 src/external/bsd/dhcpcd/dist/configure:1.1.1.8.2.3
--- src/external/bsd/dhcpcd/dist/configure:1.1.1.8.2.2	Fri Jul 27 10:43:19 2018
+++ src/external/bsd/dhcpcd/dist/configure	Fri Apr 26 19:47:23 2019
@@ -13,6 +13,7 @@ IPV4LL=
 INET6=
 ARC4RANDOM=
 CLOSEFROM=
+CONSTTIME_MEMEQUAL=
 STRLCPY=
 UDEV=
 OS=
@@ -845,6 +846,27 @@ if [ "$STRTOI" = no ]; then
 	echo "#include			\"compat/strtoi.h\"" >>$CONFIG_H
 fi
 
+if [ -z "$CONSTTIME_MEMEQUAL" ]; then
+	printf "Testing for consttime_memequal ... "
+	cat <_consttime_memequal.c
+#include 
+int main(void) {
+	return consttime_memequal("deadbeef", "deadbeef", 8);
+}
+EOF
+	if $XCC _consttime_memequal.c -o _consttime_memequal 2>&3; then
+		CONSTTIME_MEMEQUAL=yes
+	else
+		CONSTTIME_MEMEQUAL=no
+	fi
+	echo "$CONSTTIME_MEMEQUAL"
+	rm -f _consttime_memequal.c _consttime_memequal
+fi
+if [ "$CONSTTIME_MEMEQUAL" = no ]; then
+	echo "#include			\"compat/consttime_memequal.h\"" \
+	>>$CONFIG_H
+fi
+
 if [ -z "$DPRINTF" ]; then
 	printf "Testing for dprintf ... "
 	cat <_dprintf.c

Index: src/external/bsd/dhcpcd/dist/src/auth.c
diff -u src/external/bsd/dhcpcd/dist/src/auth.c:1.1.1.5.4.2 src/external/bsd/dhcpcd/dist/src/auth.c:1.1.1.5.4.3
--- src/external/bsd/dhcpcd/dist/src/auth.c:1.1.1.5.4.2	Fri Jul 27 10:43:20 2018
+++ src/external/bsd/dhcpcd/dist/src/auth.c	Fri Apr 26 19:47:23 2019
@@ -354,7 +354,7 @@ gottoken:
 	}
 
 	free(mm);
-	if (memcmp(d, &hmac_code, dlen)) {
+	if (!consttime_memequal(d, &hmac_code, dlen)) {
 		errno = EPERM;
 		return NULL;
 	}

Index: src/external/bsd/dhcpcd/dist/src/dhcp.c
diff -u src/external/bsd/dhcpcd/dist/src/dhcp.c:1.11.4.3 src/external/bsd/dhcpcd/dist/src/dhcp.c:1.11.4.4
--- src/external/bsd/dhcpcd/dist/src/dhcp.c:1.11.4.3	Sat Aug 25 15:03:00 2018
+++ src/external/bsd/dhcpcd/dist/src/dhcp.c	Fri Apr 26 19:47:23 2019
@@ -212,6 +212,12 @@ get_option(struct dhcpcd_ctx *ctx,
 		}
 		l = *p++;
 
+		/* Check we can read the option data, if present */
+		if (p + l > e) {
+			errno = EINVAL;
+			return NULL;
+		}
+
 		if (o == DHO_OPTSOVERLOADED) {
 			/* Ensure we only get this option once by setting
 			 * the last bit as well as the value.
@@ -246,10 +252,6 @@ get_option(struct dhcpcd_ctx *ctx,
 bp += ol;
 			}
 			ol = l;
-			if (p + ol >= e) {
-errno = EINVAL;
-return NULL;
-			}
 			op = p;
 			bl += ol;
 		}

Index: src/external/bsd/dhcpcd/dist/src/dhcp6.c
diff -u src/external/bsd/dhcpcd/dist/src/dhcp6.c:1.1.1.12.4.3 src/external/bsd/dhcpcd/dist/src/dhcp6.c:1.1.1.12.4.4
--- src/external/bsd/dhcpcd/dist/src/dhcp6.c:1.1.1.12.4.3	Sat Aug 25 15:03:00 2018
+++ src/external/bsd/dhcpcd/dist/src/dhcp6.c	Fri Apr 26 19:47:23 2019
@@ -2015,12 +2015,12 @@ dhcp6_findna(struct interface *ifp, uint
 		nd = o + ol;
 		l -= (size_t)(nd - d);
 		d = nd;
-		if (ol < 24) {
+		if (ol < sizeof(ia)) {
 			errno = EINVAL;
 			logerrx("%s: IA Address option truncated", ifp->name);
 			continue;
 		}
-		memcpy(&ia, o, ol);
+		memcpy(&ia, o, sizeof(ia));
 		ia.pltime = ntohl(ia.pltime);
 		ia.vltime = ntohl(ia.vltime);
 		/* RFC 3315 22.6 */

Added files:

Index: src/external/bsd/dhcpcd/dist/compat/consttime_memequal.h
diff -u /dev/null src/external/bsd/dhcpcd/dist/compat/consttime_memequal.h:1.1.1.1.4.2
--- /dev/null	Fri Apr 26 19:47:23 2019
+++ src/external/bsd/dhcpcd/dist/compat/consttime_memequal.h	Fri Apr 26 19:47:23 2019
@@ -0,0 +1,28 @@
+/*
+ * Written by Matthias Drochner .
+ * Public domain.
+ */
+
+#ifndef CONSTTIME_MEMEQUAL_H
+#define CONSTTIME_MEMEQU

CVS commit: [netbsd-7] src/external/bsd/dhcpcd/dist/src

2019-05-05 Thread Martin Husemann 
Module Name:src
Committed By:   martin
Date:   Sun May  5 09:02:45 UTC 2019

Modified Files:
src/external/bsd/dhcpcd/dist/src [netbsd-7]: dhcp6.c

Log Message:
Apply patch, requested by roy in ticket #1695:

external/bsd/dhcpcd/dist/src/dhcp6.c

DHCPv6: Fix a potential read overflow with D6_OPTION_PD_EXCLUDE


To generate a diff of this commit:
cvs rdiff -u -r1.1.1.12.4.4 -r1.1.1.12.4.5 \
src/external/bsd/dhcpcd/dist/src/dhcp6.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/external/bsd/dhcpcd/dist/src/dhcp6.c
diff -u src/external/bsd/dhcpcd/dist/src/dhcp6.c:1.1.1.12.4.4 src/external/bsd/dhcpcd/dist/src/dhcp6.c:1.1.1.12.4.5
--- src/external/bsd/dhcpcd/dist/src/dhcp6.c:1.1.1.12.4.4	Fri Apr 26 19:47:23 2019
+++ src/external/bsd/dhcpcd/dist/src/dhcp6.c	Sun May  5 09:02:45 2019
@@ -2152,40 +2152,38 @@ dhcp6_findpd(struct interface *ifp, cons
 			state->expire = a->prefix_vltime;
 		i++;
 
-		o = dhcp6_findoption(o, ol, D6_OPTION_PD_EXCLUDE, &ol);
 		a->prefix_exclude_len = 0;
 		memset(&a->prefix_exclude, 0, sizeof(a->prefix_exclude));
-#if 0
-		if (ex == NULL) {
-			struct dhcp6_option *w;
-			uint8_t *wp;
-
-			w = calloc(1, 128);
-			w->len = htons(2);
-			wp = D6_OPTION_DATA(w);
-			*wp++ = 64;
-			*wp++ = 0x78;
-			ex = w;
-		}
-#endif
+		o = dhcp6_findoption(o, ol, D6_OPTION_PD_EXCLUDE, &ol);
 		if (o == NULL)
 			continue;
-		if (ol < 2) {
-			logerrx("%s: truncated PD Exclude", ifp->name);
+
+		/* RFC 6603 4.2 says option length MUST be between 2 and 17.
+		 * This allows 1 octet for prefix length and 16 for the
+		 * subnet ID. */
+		if (ol < 2 || ol > 17) {
+			logerrx("%s: invalid PD Exclude option", ifp->name);
 			continue;
 		}
-		a->prefix_exclude_len = *o++;
+
+		/* RFC 6603 4.2 says prefix length MUST be between the
+		 * length of the IAPREFIX prefix length + 1 and 128. */
+		if (*o < a->prefix_len + 1 || *o > 128) {
+			logerrx("%s: invalid PD Exclude length", ifp->name);
+			continue;
+		}
+
 		ol--;
-		if (((a->prefix_exclude_len - a->prefix_len - 1) / NBBY) + 1
-		!= ol)
-		{
+		/* Check option length matches prefix length. */
+		if (((*o - a->prefix_len - 1) / NBBY) + 1 != ol) {
 			logerrx("%s: PD Exclude length mismatch", ifp->name);
-			a->prefix_exclude_len = 0;
 			continue;
 		}
-		nb = a->prefix_len % NBBY;
+		a->prefix_exclude_len = *o++;
+
 		memcpy(&a->prefix_exclude, &a->prefix,
 		sizeof(a->prefix_exclude));
+		nb = a->prefix_len % NBBY;
 		if (nb)
 			ol--;
 		pw = a->prefix_exclude.s6_addr +