dist

Martin Husemann Wed, 01 May 2019 02:26:45 -0700

Module Name:    src
Committed By:   martin
Date:           Wed May  1 09:26:23 UTC 2019


Modified Files:
        src/external/bsd/dhcpcd/dist [netbsd-7-0]: auth.c dhcp.c dhcpcd.h

Log Message:
Apply patch, requested by roy in ticket #1690:

        external/bsd/dhcpcd/dist/configure
        external/bsd/dhcpcd/dist/src/auth.c
        external/bsd/dhcpcd/dist/src/dhcp.c
        external/bsd/dhcpcd/dist/src/dhcp6.c
        external/bsd/dhcpcd/dist/compat/consttime_memequal.h

Security fixes for dhcpcd:
Fix a potential 1 byte read overflow with DHO_OPTSOVERLOADED.
Use consttime_memequal(3) to compare hashes.


To generate a diff of this commit:
cvs rdiff -u -r1.1.1.4.2.2 -r1.1.1.4.2.2.2.1 \
    src/external/bsd/dhcpcd/dist/auth.c
cvs rdiff -u -r1.15.2.2 -r1.15.2.2.2.1 src/external/bsd/dhcpcd/dist/dhcp.c
cvs rdiff -u -r1.1.1.19.2.2 -r1.1.1.19.2.2.2.1 \
    src/external/bsd/dhcpcd/dist/dhcpcd.h

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/external/bsd/dhcpcd/dist/auth.c
diff -u src/external/bsd/dhcpcd/dist/auth.c:1.1.1.4.2.2 src/external/bsd/dhcpcd/dist/auth.c:1.1.1.4.2.2.2.1
--- src/external/bsd/dhcpcd/dist/auth.c:1.1.1.4.2.2	Thu Feb  5 15:13:12 2015
+++ src/external/bsd/dhcpcd/dist/auth.c	Wed May  1 09:26:23 2019
@@ -1,5 +1,5 @@
 #include <sys/cdefs.h>
- __RCSID("$NetBSD: auth.c,v 1.1.1.4.2.2 2015/02/05 15:13:12 martin Exp $");
+ __RCSID("$NetBSD: auth.c,v 1.1.1.4.2.2.2.1 2019/05/01 09:26:23 martin Exp $");
 
 /*
  * dhcpcd - DHCP client daemon
@@ -340,7 +340,7 @@ gottoken:
 	}
 
 	free(mm);
-	if (memcmp(d, &hmac, dlen)) {
+	if (!consttime_memequal(d, &hmac, dlen)) {
 		errno = EPERM;
 		return NULL;
 	}

Index: src/external/bsd/dhcpcd/dist/dhcp.c
diff -u src/external/bsd/dhcpcd/dist/dhcp.c:1.15.2.2 src/external/bsd/dhcpcd/dist/dhcp.c:1.15.2.2.2.1
--- src/external/bsd/dhcpcd/dist/dhcp.c:1.15.2.2	Thu Feb  5 15:13:12 2015
+++ src/external/bsd/dhcpcd/dist/dhcp.c	Wed May  1 09:26:23 2019
@@ -1,5 +1,5 @@
 #include <sys/cdefs.h>
- __RCSID("$NetBSD: dhcp.c,v 1.15.2.2 2015/02/05 15:13:12 martin Exp $");
+ __RCSID("$NetBSD: dhcp.c,v 1.15.2.2.2.1 2019/05/01 09:26:23 martin Exp $");
 
 /*
  * dhcpcd - DHCP client daemon
@@ -166,28 +166,6 @@ get_option(struct dhcpcd_ctx *ctx,
 
 	while (p < e) {
 		o = *p++;
-		if (o == opt) {
-			if (op) {
-				if (!ctx->opt_buffer) {
-					ctx->opt_buffer =
-					    malloc(DHCP_OPTION_LEN +
-					    BOOTFILE_LEN + SERVERNAME_LEN);
-					if (ctx->opt_buffer == NULL)
-						return NULL;
-				}
-				if (!bp)
-					bp = ctx->opt_buffer;
-				memcpy(bp, op, ol);
-				bp += ol;
-			}
-			ol = *p;
-			if (p + ol > e) {
-				errno = EINVAL;
-				return NULL;
-			}
-			op = p + 1;
-			bl += ol;
-		}
 		switch (o) {
 		case DHO_PAD:
 			continue;
@@ -205,16 +183,58 @@ get_option(struct dhcpcd_ctx *ctx,
 			} else
 				goto exit;
 			break;
-		case DHO_OPTIONSOVERLOADED:
+		}
+
+		/* Check we can read the length */
+		if (p == e) {
+			errno = EINVAL;
+			return NULL;
+		}
+		l = *p++;
+
+		/* Check we can read the option data, if present */
+		if (p + l > e) {
+			errno = EINVAL;
+			return NULL;
+		}
+
+		if (o == DHO_OPTIONSOVERLOADED) {
 			/* Ensure we only get this option once by setting
 			 * the last bit as well as the value.
 			 * This is valid because only the first two bits
 			 * actually mean anything in RFC2132 Section 9.3 */
-			if (!overl)
-				overl = 0x80 | p[1];
-			break;
+			if (l == 1 && !overl)
+				overl = 0x80 | p[0];
+		}
+
+		if (o == opt) {
+			if (op) {
+				/* We must concatonate the options. */
+				if (bl + l > ctx->opt_buffer_len) {
+					size_t pos;
+					uint8_t *nb;
+
+					if (bp)
+						pos = (size_t)
+						    (bp - ctx->opt_buffer);
+					else
+						pos = 0;
+					nb = realloc(ctx->opt_buffer, bl + l);
+					if (nb == NULL)
+						return NULL;
+					ctx->opt_buffer = nb;
+					ctx->opt_buffer_len = bl + l;
+					bp = ctx->opt_buffer + pos;
+				}
+				if (bp == NULL)
+					bp = ctx->opt_buffer;
+				memcpy(bp, op, ol);
+				bp += ol;
+			}
+			ol = l;
+			op = p;
+			bl += ol;
 		}
-		l = *p++;
 		p += l;
 	}
 

Index: src/external/bsd/dhcpcd/dist/dhcpcd.h
diff -u src/external/bsd/dhcpcd/dist/dhcpcd.h:1.1.1.19.2.2 src/external/bsd/dhcpcd/dist/dhcpcd.h:1.1.1.19.2.2.2.1
--- src/external/bsd/dhcpcd/dist/dhcpcd.h:1.1.1.19.2.2	Thu Feb  5 15:13:12 2015
+++ src/external/bsd/dhcpcd/dist/dhcpcd.h	Wed May  1 09:26:23 2019
@@ -1,4 +1,4 @@
-/* $NetBSD: dhcpcd.h,v 1.1.1.19.2.2 2015/02/05 15:13:12 martin Exp $ */
+/* $NetBSD: dhcpcd.h,v 1.1.1.19.2.2.2.1 2019/05/01 09:26:23 martin Exp $ */
 
 /*
  * dhcpcd - DHCP client daemon
@@ -131,6 +131,7 @@ struct dhcpcd_ctx {
 	 * We ONLY use this when options are split, which for most purposes is
 	 * practically never. See RFC3396 for details. */
 	uint8_t *opt_buffer;
+	size_t opt_buffer_len;
 #endif
 #ifdef INET6
 	unsigned char secret[SECRET_LEN];

CVS commit: [netbsd-7-0] src/external/bsd/dhcpcd/dist

Reply via email to