package/fastd: fix CVE-2020-27638

receive.c in fastd before v21 allows denial of service (assertion
failure) when receiving packets with an invalid type code.

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Acked-by: Alexander Dahl <post@lespocky.de>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>

diff --git a/package/fastd/0002-receive-fix-buffer-leak-when-receiving-invalid-packets.patch b/package/fastd/0002-receive-fix-buffer-leak-when-receiving-invalid-packets.patch
new file mode 100644 (file)
index 0000000..f4a44fe
--- /dev/null
+++ b/package/fastd/0002-receive-fix-buffer-leak-when-receiving-invalid-packets.patch
@@ -0,0 +1,45 @@
+From 737925113363b6130879729cdff9ccc46c33eaea Mon Sep 17 00:00:00 2001
+From: Matthias Schiffer <mschiffer@universe-factory.net>
+Date: Mon, 19 Oct 2020 21:08:16 +0200
+Subject: [PATCH] receive: fix buffer leak when receiving invalid packets
+
+For fastd versions before v20, this was just a memory leak (which could
+still be used for DoS, as it's remotely triggerable). With the new
+buffer management of fastd v20, this will trigger an assertion failure
+instead as soon as the buffer pool is empty.
+
+[Retrieved from:
+https://github.com/NeoRaider/fastd/commit/737925113363b6130879729cdff9ccc46c33eaea]
+Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
+---
+ src/receive.c | 10 ++++++++++
+ 1 file changed, 10 insertions(+)
+
+diff --git a/src/receive.c b/src/receive.c
+index 043c9f2..6bca9f4 100644
+--- a/src/receive.c
++++ b/src/receive.c
+@@ -169,6 +169,11 @@ static inline void handle_socket_receive_known(
+ 
+       case PACKET_HANDSHAKE:
+               fastd_handshake_handle(sock, local_addr, remote_addr, peer, buffer);
++              break;
++
++      default:
++              fastd_buffer_free(buffer);
++              pr_debug("received packet with invalid type from %P[%I]", peer, remote_addr);
+       }
+ }
+ 
+@@ -195,6 +200,11 @@ static inline void handle_socket_receive_unknown(
+ 
+       case PACKET_HANDSHAKE:
+               fastd_handshake_handle(sock, local_addr, remote_addr, NULL, buffer);
++              break;
++
++      default:
++              fastd_buffer_free(buffer);
++              pr_debug("received packet with invalid type from unknown address %I", remote_addr);
+       }
+ }
+ 

diff --git a/package/fastd/fastd.mk b/package/fastd/fastd.mk
index b1261f0fa5a4cb5f7a63f2abd097a777a6882830..d556e2fbb154868d3c2cbd5223c6225988131adb 100644 (file)
--- a/package/fastd/fastd.mk
+++ b/package/fastd/fastd.mk
@@ -12,6 +12,9 @@ FASTD_LICENSE_FILES = COPYRIGHT
 FASTD_CONF_OPTS = -DENABLE_LIBSODIUM=ON
 FASTD_DEPENDENCIES = host-bison host-pkgconf libuecc libsodium libcap
 
+# 0002-receive-fix-buffer-leak-when-receiving-invalid-packets.patch
+FASTD_IGNORE_CVES += CVE-2020-27638
+
 ifeq ($(BR2_PACKAGE_OPENSSL),y)
 FASTD_CONF_OPTS += -DENABLE_OPENSSL=ON
 FASTD_DEPENDENCIES += openssl