dhcpcd-discuss

Home Other Lists Thread Index Date Index Search
Thread Prev Thread Next Date Prev Date Next Thread Index Date Index

Remotely exploitable crash in dhcpcd

Jason A. Donenfeld

Fri Jun 23 21:00:40 2017
Hi Roy,

I found that by sending the same exact DHCP response to two different
DHCP requests on different interfaces, I was able to segfault dhcpcd.
The attached patch fixes the problem, though you might want to
investigate a bit further precisely why this is necessary.

Regards,
Jason

diff -ru dhcpcd-7.0.0-rc1/src/ipv4.c dhcpcd-7.0.0-rc1-fixed/src/ipv4.c
--- dhcpcd-7.0.0-rc1/src/ipv4.c	2017-05-10 12:24:28.000000000 +0200
+++ dhcpcd-7.0.0-rc1-fixed/src/ipv4.c	2017-06-23 22:37:55.929857908 +0200
@@ -255,7 +255,7 @@
 	int n;
 
 	state = D_CSTATE(ifp);
-	if (state == NULL || state->state != DHS_BOUND)
+	if (state == NULL || state->state != DHS_BOUND || state->addr == NULL)
 		return 0;
 
 	TAILQ_INIT(&nroutes);
Follow-Ups:
Re: Remotely exploitable crash in dhcpcdRoy Marples
Re: Remotely exploitable crash in dhcpcdJason A. Donenfeld
Archive administrator: postmaster@marples.name