Module Name: src Committed By: martin Date: Wed May 1 09:26:23 UTC 2019
Modified Files: src/external/bsd/dhcpcd/dist [netbsd-7-0]: auth.c dhcp.c dhcpcd.h Log Message: Apply patch, requested by roy in ticket #1690: external/bsd/dhcpcd/dist/configure external/bsd/dhcpcd/dist/src/auth.c external/bsd/dhcpcd/dist/src/dhcp.c external/bsd/dhcpcd/dist/src/dhcp6.c external/bsd/dhcpcd/dist/compat/consttime_memequal.h Security fixes for dhcpcd: Fix a potential 1 byte read overflow with DHO_OPTSOVERLOADED. Use consttime_memequal(3) to compare hashes. To generate a diff of this commit: cvs rdiff -u -r1.1.1.4.2.2 -r1.1.1.4.2.2.2.1 \ src/external/bsd/dhcpcd/dist/auth.c cvs rdiff -u -r1.15.2.2 -r1.15.2.2.2.1 src/external/bsd/dhcpcd/dist/dhcp.c cvs rdiff -u -r1.1.1.19.2.2 -r1.1.1.19.2.2.2.1 \ src/external/bsd/dhcpcd/dist/dhcpcd.h Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
Modified files: Index: src/external/bsd/dhcpcd/dist/auth.c diff -u src/external/bsd/dhcpcd/dist/auth.c:1.1.1.4.2.2 src/external/bsd/dhcpcd/dist/auth.c:1.1.1.4.2.2.2.1 --- src/external/bsd/dhcpcd/dist/auth.c:1.1.1.4.2.2 Thu Feb 5 15:13:12 2015 +++ src/external/bsd/dhcpcd/dist/auth.c Wed May 1 09:26:23 2019 @@ -1,5 +1,5 @@ #include <sys/cdefs.h> - __RCSID("$NetBSD: auth.c,v 1.1.1.4.2.2 2015/02/05 15:13:12 martin Exp $"); + __RCSID("$NetBSD: auth.c,v 1.1.1.4.2.2.2.1 2019/05/01 09:26:23 martin Exp $"); /* * dhcpcd - DHCP client daemon @@ -340,7 +340,7 @@ gottoken: } free(mm); - if (memcmp(d, &hmac, dlen)) { + if (!consttime_memequal(d, &hmac, dlen)) { errno = EPERM; return NULL; } Index: src/external/bsd/dhcpcd/dist/dhcp.c diff -u src/external/bsd/dhcpcd/dist/dhcp.c:1.15.2.2 src/external/bsd/dhcpcd/dist/dhcp.c:1.15.2.2.2.1 --- src/external/bsd/dhcpcd/dist/dhcp.c:1.15.2.2 Thu Feb 5 15:13:12 2015 +++ src/external/bsd/dhcpcd/dist/dhcp.c Wed May 1 09:26:23 2019 @@ -1,5 +1,5 @@ #include <sys/cdefs.h> - __RCSID("$NetBSD: dhcp.c,v 1.15.2.2 2015/02/05 15:13:12 martin Exp $"); + __RCSID("$NetBSD: dhcp.c,v 1.15.2.2.2.1 2019/05/01 09:26:23 martin Exp $"); /* * dhcpcd - DHCP client daemon @@ -166,28 +166,6 @@ get_option(struct dhcpcd_ctx *ctx, while (p < e) { o = *p++; - if (o == opt) { - if (op) { - if (!ctx->opt_buffer) { - ctx->opt_buffer = - malloc(DHCP_OPTION_LEN + - BOOTFILE_LEN + SERVERNAME_LEN); - if (ctx->opt_buffer == NULL) - return NULL; - } - if (!bp) - bp = ctx->opt_buffer; - memcpy(bp, op, ol); - bp += ol; - } - ol = *p; - if (p + ol > e) { - errno = EINVAL; - return NULL; - } - op = p + 1; - bl += ol; - } switch (o) { case DHO_PAD: continue; @@ -205,16 +183,58 @@ get_option(struct dhcpcd_ctx *ctx, } else goto exit; break; - case DHO_OPTIONSOVERLOADED: + } + + /* Check we can read the length */ + if (p == e) { + errno = EINVAL; + return NULL; + } + l = *p++; + + /* Check we can read the option data, if present */ + if (p + l > e) { + errno = EINVAL; + return NULL; + } + + if (o == DHO_OPTIONSOVERLOADED) { /* Ensure we only get this option once by setting * the last bit as well as the value. * This is valid because only the first two bits * actually mean anything in RFC2132 Section 9.3 */ - if (!overl) - overl = 0x80 | p[1]; - break; + if (l == 1 && !overl) + overl = 0x80 | p[0]; + } + + if (o == opt) { + if (op) { + /* We must concatonate the options. */ + if (bl + l > ctx->opt_buffer_len) { + size_t pos; + uint8_t *nb; + + if (bp) + pos = (size_t) + (bp - ctx->opt_buffer); + else + pos = 0; + nb = realloc(ctx->opt_buffer, bl + l); + if (nb == NULL) + return NULL; + ctx->opt_buffer = nb; + ctx->opt_buffer_len = bl + l; + bp = ctx->opt_buffer + pos; + } + if (bp == NULL) + bp = ctx->opt_buffer; + memcpy(bp, op, ol); + bp += ol; + } + ol = l; + op = p; + bl += ol; } - l = *p++; p += l; } Index: src/external/bsd/dhcpcd/dist/dhcpcd.h diff -u src/external/bsd/dhcpcd/dist/dhcpcd.h:1.1.1.19.2.2 src/external/bsd/dhcpcd/dist/dhcpcd.h:1.1.1.19.2.2.2.1 --- src/external/bsd/dhcpcd/dist/dhcpcd.h:1.1.1.19.2.2 Thu Feb 5 15:13:12 2015 +++ src/external/bsd/dhcpcd/dist/dhcpcd.h Wed May 1 09:26:23 2019 @@ -1,4 +1,4 @@ -/* $NetBSD: dhcpcd.h,v 1.1.1.19.2.2 2015/02/05 15:13:12 martin Exp $ */ +/* $NetBSD: dhcpcd.h,v 1.1.1.19.2.2.2.1 2019/05/01 09:26:23 martin Exp $ */ /* * dhcpcd - DHCP client daemon @@ -131,6 +131,7 @@ struct dhcpcd_ctx { * We ONLY use this when options are split, which for most purposes is * practically never. See RFC3396 for details. */ uint8_t *opt_buffer; + size_t opt_buffer_len; #endif #ifdef INET6 unsigned char secret[SECRET_LEN];