From 047cec5993223944d0765468f11aa137d3ade543 Mon Sep 17 00:00:00 2001 From: Baruch Siach Date: Sat, 3 Mar 2018 21:43:56 +0200 Subject: [PATCH] dhcp: add upstream security fixes CVE-2018-5732: The DHCP client incorrectly handled certain malformed responses. A remote attacker could use this issue to cause the DHCP client to crash, resulting in a denial of service, or possibly execute arbitrary code. In the default installation, attackers would be isolated by the dhclient AppArmor profile. CVE-2018-5733: The DHCP server incorrectly handled reference counting. A remote attacker could possibly use this issue to cause the DHCP server to crash, resulting in a denial of service. Both issues are fixed in version 4.4.1. But we are close to release, so backport the fixes instead of bumping version. Signed-off-by: Baruch Siach Signed-off-by: Peter Korsgaard --- ...uffer-overrun-in-pretty_print_option.patch | 59 +++++++++++++++++++ ...rected-refcnt-loss-in-option-parsing.patch | 40 +++++++++++++ 2 files changed, 99 insertions(+) create mode 100644 package/dhcp/0003-Correct-buffer-overrun-in-pretty_print_option.patch create mode 100644 package/dhcp/0004-Corrected-refcnt-loss-in-option-parsing.patch diff --git a/package/dhcp/0003-Correct-buffer-overrun-in-pretty_print_option.patch b/package/dhcp/0003-Correct-buffer-overrun-in-pretty_print_option.patch new file mode 100644 index 0000000000..aad20ff93f --- /dev/null +++ b/package/dhcp/0003-Correct-buffer-overrun-in-pretty_print_option.patch @@ -0,0 +1,59 @@ +From b8c29336bd5401a5f962bc6ddfa4ebb6f0274f3c Mon Sep 17 00:00:00 2001 +From: Thomas Markwalder +Date: Sat, 10 Feb 2018 12:15:27 -0500 +Subject: [PATCH 1/2] Correct buffer overrun in pretty_print_option + + Merges in rt47139. + +[baruch: drop RELNOTES and test; address CVE-2018-5732] +Signed-off-by: Baruch Siach +--- +Upstream status: backported from commit c5931725b48 +--- + common/options.c | 15 ++++++++++++--- + 1 file changed, 12 insertions(+), 3 deletions(-) + +diff --git a/common/options.c b/common/options.c +index 5547287fb6e5..2ed6b16c6412 100644 +--- a/common/options.c ++++ b/common/options.c +@@ -1758,7 +1758,8 @@ format_min_length(format, oc) + + + /* Format the specified option so that a human can easily read it. */ +- ++/* Maximum pretty printed size */ ++#define MAX_OUTPUT_SIZE 32*1024 + const char *pretty_print_option (option, data, len, emit_commas, emit_quotes) + struct option *option; + const unsigned char *data; +@@ -1766,8 +1767,9 @@ const char *pretty_print_option (option, data, len, emit_commas, emit_quotes) + int emit_commas; + int emit_quotes; + { +- static char optbuf [32768]; /* XXX */ +- static char *endbuf = &optbuf[sizeof(optbuf)]; ++ /* We add 128 byte pad so we don't have to add checks everywhere. */ ++ static char optbuf [MAX_OUTPUT_SIZE + 128]; /* XXX */ ++ static char *endbuf = optbuf + MAX_OUTPUT_SIZE; + int hunksize = 0; + int opthunk = 0; + int hunkinc = 0; +@@ -2193,7 +2195,14 @@ const char *pretty_print_option (option, data, len, emit_commas, emit_quotes) + log_error ("Unexpected format code %c", + fmtbuf [j]); + } ++ + op += strlen (op); ++ if (op >= endbuf) { ++ log_error ("Option data exceeds" ++ " maximum size %d", MAX_OUTPUT_SIZE); ++ return (""); ++ } ++ + if (dp == data + len) + break; + if (j + 1 < numelem && comma != ':') +-- +2.16.1 + diff --git a/package/dhcp/0004-Corrected-refcnt-loss-in-option-parsing.patch b/package/dhcp/0004-Corrected-refcnt-loss-in-option-parsing.patch new file mode 100644 index 0000000000..c79bbc7f82 --- /dev/null +++ b/package/dhcp/0004-Corrected-refcnt-loss-in-option-parsing.patch @@ -0,0 +1,40 @@ +From 93b5b67dd31b9efcbfaabc2df1e1d9d164a5e04a Mon Sep 17 00:00:00 2001 +From: Thomas Markwalder +Date: Fri, 9 Feb 2018 14:46:08 -0500 +Subject: [PATCH 2/2] Corrected refcnt loss in option parsing + + Merges in 47140. + +[baruch: drop RELNOTES and tests; address CVE-2018-5733] +Signed-off-by: Baruch Siach +--- +Upstream status: backported from commit 197b26f25309 +--- + common/options.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/common/options.c b/common/options.c +index 2ed6b16c6412..25b29a6be7bb 100644 +--- a/common/options.c ++++ b/common/options.c +@@ -3,7 +3,7 @@ + DHCP options parsing and reassembly. */ + + /* +- * Copyright (c) 2004-2017 by Internet Systems Consortium, Inc. ("ISC") ++ * Copyright (c) 2004-2018 by Internet Systems Consortium, Inc. ("ISC") + * Copyright (c) 1995-2003 by Internet Software Consortium + * + * Permission to use, copy, modify, and distribute this software for any +@@ -177,6 +177,8 @@ int parse_option_buffer (options, buffer, length, universe) + + /* If the length is outrageous, the options are bad. */ + if (offset + len > length) { ++ /* Avoid reference count overflow */ ++ option_dereference(&option, MDL); + reason = "option length exceeds option buffer length"; + bogus: + log_error("parse_option_buffer: malformed option " +-- +2.16.1 + -- 2.30.2