Mercurial > hg > dhcpcd
changeset 4463:0dcdae5e7954 draft
Merge branch 'dhcpcd-7'
| author | Roy Marples <roy@marples.name> |
|---|---|
| date | Fri, 19 Apr 2019 21:54:19 +0100 |
| parents | 8e41e487831d (current diff) 7444e7099fb9 (diff) |
| children | 9ba7f650a8f7 |
| files | src/dhcp.c |
| diffstat | 5 files changed, 59 insertions(+), 7 deletions(-) [+] |
line wrap: on
line diff
--- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/compat/consttime_memequal.h Fri Apr 19 21:54:19 2019 +0100 @@ -0,0 +1,28 @@ +/* + * Written by Matthias Drochner <drochner@NetBSD.org>. + * Public domain. + */ + +#ifndef CONSTTIME_MEMEQUAL_H +#define CONSTTIME_MEMEQUAL_H +inline static int +consttime_memequal(const void *b1, const void *b2, size_t len) +{ + const unsigned char *c1 = b1, *c2 = b2; + unsigned int res = 0; + + while (len--) + res |= *c1++ ^ *c2++; + + /* + * Map 0 to 1 and [1, 256) to 0 using only constant-time + * arithmetic. + * + * This is not simply `!res' because although many CPUs support + * branchless conditional moves and many compilers will take + * advantage of them, certain compilers generate branches on + * certain CPUs for `!res'. + */ + return (1 & ((res - 1) >> 8)); +} +#endif /* CONSTTIME_MEMEQUAL_H */
--- a/configure Fri Apr 19 09:07:13 2019 +0100 +++ b/configure Fri Apr 19 21:54:19 2019 +0100 @@ -13,6 +13,7 @@ INET6= ARC4RANDOM= CLOSEFROM= +CONSTTIME_MEMEQUAL= STRLCPY= UDEV= OS= @@ -846,6 +847,27 @@ echo "#include \"compat/strtoi.h\"" >>$CONFIG_H fi +if [ -z "$CONSTTIME_MEMEQUAL" ]; then + printf "Testing for consttime_memequal ... " + cat <<EOF >_consttime_memequal.c +#include <string.h> +int main(void) { + return consttime_memequal("deadbeef", "deadbeef", 8); +} +EOF + if $XCC _consttime_memequal.c -o _consttime_memequal 2>&3; then + CONSTTIME_MEMEQUAL=yes + else + CONSTTIME_MEMEQUAL=no + fi + echo "$CONSTTIME_MEMEQUAL" + rm -f _consttime_memequal.c _consttime_memequal +fi +if [ "$CONSTTIME_MEMEQUAL" = no ]; then + echo "#include \"compat/consttime_memequal.h\"" \ + >>$CONFIG_H +fi + if [ -z "$DPRINTF" ]; then printf "Testing for dprintf ... " cat <<EOF >_dprintf.c
--- a/src/auth.c Fri Apr 19 09:07:13 2019 +0100 +++ b/src/auth.c Fri Apr 19 21:54:19 2019 +0100 @@ -354,7 +354,7 @@ } free(mm); - if (memcmp(d, &hmac_code, dlen)) { + if (!consttime_memequal(d, &hmac_code, dlen)) { errno = EPERM; return NULL; }
--- a/src/dhcp.c Fri Apr 19 09:07:13 2019 +0100 +++ b/src/dhcp.c Fri Apr 19 21:54:19 2019 +0100 @@ -216,6 +216,12 @@ } l = *p++; + /* Check we can read the option data, if present */ + if (p + l > e) { + errno = EINVAL; + return NULL; + } + if (o == DHO_OPTSOVERLOADED) { /* Ensure we only get this option once by setting * the last bit as well as the value. @@ -250,10 +256,6 @@ bp += ol; } ol = l; - if (p + ol >= e) { - errno = EINVAL; - return NULL; - } op = p; bl += ol; }
--- a/src/dhcp6.c Fri Apr 19 09:07:13 2019 +0100 +++ b/src/dhcp6.c Fri Apr 19 21:54:19 2019 +0100 @@ -2029,12 +2029,12 @@ nd = o + ol; l -= (size_t)(nd - d); d = nd; - if (ol < 24) { + if (ol < sizeof(ia)) { errno = EINVAL; logerrx("%s: IA Address option truncated", ifp->name); continue; } - memcpy(&ia, o, ol); + memcpy(&ia, o, sizeof(ia)); ia.pltime = ntohl(ia.pltime); ia.vltime = ntohl(ia.vltime); /* RFC 3315 22.6 */