Re: Backporting two dchpcd security patches to 6.0.5
Chris Lamb
Sun May 12 18:23:21 2019
Hey Roy,
> I don't officially support dhcpcd-6 anymore - it just gets the latest
> security fix to the last release.
Thanks for your response. I totally understand that this is not
"officially" supported so I really appreciate your attention and time
here.
> > The first is about CVE-2019-11579 regarding the 1-byte read overflow
> > with the handling of DHO_OPTSOVERLOADED. The diff in question [1]
> > that remedies this essentially just moves some code out of the case
> > handling, but this code is not part of dhcpcd 6.0.5 which only has:
> >
> > case DHO_OPTIONSOVERLOADED:
> > /* Ensure we only get this option once by setting
> > * the last bit as well as the value.
> > * This is valid because only the first two bits
> > * actually mean anything in RFC2132 Section 9.3 */
> > if (!overl)
> > overl = 0x80 | p[1];
> > break;
> >
> > … as part of the case statement. Does this mean that 6.0.5 is not
> > vulnerable to CVE-2019-11579 or that it *is* because it lacks the
> > underlying check?
>
> It is vulnerable because it looks at p[1].
> At this point we've not checked option length OR if it's inside the buffer.
Getcha, so something like:
op = p + 1;
bl += ol;
}
+ if (p + l > e) {
+ errno = EINVAL;
+ return NULL;
+ }
switch (o) {
case DHO_PAD:
continue;
… might be sufficient, or might we also need?
- if (!overl)
+ if (l == 1 && !overl)
overl = 0x80 | p[1];
break;
.. too?
Best wishes,
--
,''`.
: :' : Chris Lamb
`. `'` lamby@xxxxxxxxxx 🍥 chris-lamb.co.uk
`-
Archive administrator: postmaster@marples.name