dhcpcd-discuss

Re: Backporting two dchpcd security patches to 6.0.5

Chris Lamb

Sun May 12 18:23:21 2019

Hey Roy,


> I don't officially support dhcpcd-6 anymore - it just gets the latest 
> security fix to the last release.

Thanks for your response. I totally understand that this is not
"officially" supported so I really appreciate your attention and time
here.

> > The first is about CVE-2019-11579 regarding the 1-byte read overflow
> > with the handling of  DHO_OPTSOVERLOADED. The diff in question [1]
> > that remedies this essentially just moves some code out of the case
> > handling, but this code is not part of dhcpcd 6.0.5 which only has:
> > 
> > 		case DHO_OPTIONSOVERLOADED:
> > 			/* Ensure we only get this option once by setting
> > 			 * the last bit as well as the value.
> > 			 * This is valid because only the first two bits
> > 			 * actually mean anything in RFC2132 Section 9.3 */
> > 			if (!overl)
> > 				overl = 0x80 | p[1];
> > 			break;
> > 
> > … as part of the case statement. Does this mean that 6.0.5 is not
> > vulnerable to CVE-2019-11579 or that it *is* because it lacks the
> > underlying check?
> 
> It is vulnerable because it looks at p[1].
> At this point we've not checked option length OR if it's inside the buffer.


Getcha, so something like:

 			op = p + 1;
 			bl += ol;
 		}
+		if (p + l > e) {
+			errno = EINVAL;
+			return NULL;
+		}
 		switch (o) {
 		case DHO_PAD:
 			continue;

… might be sufficient, or might we also need?

-			if (!overl)
+			if (l == 1 && !overl)
 				overl = 0x80 | p[1];
 			break;

.. too?


Best wishes,

-- 
      ,''`.
     : :'  :     Chris Lamb
     `. `'`      lamby@xxxxxxxxxx 🍥 chris-lamb.co.uk
       `-

Follow-Ups:
Re: Backporting two dchpcd security patches to 6.0.5Roy Marples
References:
Backporting two dchpcd security patches to 6.0.5Chris Lamb
Re: Backporting two dchpcd security patches to 6.0.5Roy Marples
Archive administrator: postmaster@marples.name