Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
SUSE:SLE-12-SP2:GA
dhcp.2509
0020-dhcp-4.3.3-P1-CVE-2015-8605-udp-payload-le...
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File 0020-dhcp-4.3.3-P1-CVE-2015-8605-udp-payload-length-ckeck.patch of Package dhcp.2509
From: Shawn Routhier <sar@isc.org> Date: Wed, 16 Dec 2015 16:30:02 -0800 Upstream: yes References: bsc#961305, CVE-2015-8605 Subject: [PATCH 2/2] [master] Clean up packet handling diff --git a/RELNOTES b/RELNOTES index 565b225..3e70688 100644 --- a/RELNOTES +++ b/RELNOTES @@ -52,6 +52,13 @@ ISC DHCP is open source software maintained by Internet Systems Consortium. This product includes cryptographic software written by Eric Young (eay@cryptsoft.com). + Changes since 4.3.3 + +! Update the bounds checking when receiving a packet. + Thanks to Sebastian Poehn from Sophos for the bug report and a suggested + patch. + [ISC-Bugs #41267] + Changes since 4.3.3b1 - None diff --git a/common/packet.c b/common/packet.c index b530432..e600e37 100644 --- a/common/packet.c +++ b/common/packet.c @@ -220,7 +220,28 @@ ssize_t decode_hw_header (interface, buf, bufix, from) } } -/* UDP header and IP header decoded together for convenience. */ +/*! + * + * \brief UDP header and IP header decoded together for convenience. + * + * Attempt to decode the UDP and IP headers and, if necessary, checksum + * the packet. + * + * \param inteface - the interface on which the packet was recevied + * \param buf - a pointer to the buffer for the received packet + * \param bufix - where to start processing the buffer, previous + * routines may have processed parts of the buffer already + * \param from - space to return the address of the packet sender + * \param buflen - remaining length of the buffer, this will have been + * decremented by bufix by the caller + * \param rbuflen - space to return the length of the payload from the udp + * header + * \param csum_ready - indication if the checksum is valid for use + * non-zero indicates the checksum should be validated + * + * \return - the index to the first byte of the udp payload (that is the + * start of the DHCP packet + */ ssize_t decode_udp_ip_header(struct interface_info *interface, @@ -231,7 +252,7 @@ decode_udp_ip_header(struct interface_info *interface, unsigned char *data; struct ip ip; struct udphdr udp; - unsigned char *upp, *endbuf; + unsigned char *upp; u_int32_t ip_len, ulen, pkt_len; static unsigned int ip_packets_seen = 0; static unsigned int ip_packets_bad_checksum = 0; @@ -241,11 +262,8 @@ decode_udp_ip_header(struct interface_info *interface, static unsigned int udp_packets_length_overflow = 0; unsigned len; - /* Designate the end of the input buffer for bounds checks. */ - endbuf = buf + bufix + buflen; - /* Assure there is at least an IP header there. */ - if ((buf + bufix + sizeof(ip)) > endbuf) + if (sizeof(ip) > buflen) return -1; /* Copy the IP header into a stack aligned structure for inspection. @@ -257,13 +275,17 @@ decode_udp_ip_header(struct interface_info *interface, ip_len = (*upp & 0x0f) << 2; upp += ip_len; - /* Check the IP packet length. */ + /* Check packet lengths are within the buffer: + * first the ip header (ip_len) + * then the packet length from the ip header (pkt_len) + * then the udp header (ip_len + sizeof(udp) + * We are liberal in what we accept, the udp payload should fit within + * pkt_len, but we only check against the full buffer size. + */ pkt_len = ntohs(ip.ip_len); - if (pkt_len > buflen) - return -1; - - /* Assure after ip_len bytes that there is enough room for a UDP header. */ - if ((upp + sizeof(udp)) > endbuf) + if ((ip_len > buflen) || + (pkt_len > buflen) || + ((ip_len + sizeof(udp)) > buflen)) return -1; /* Copy the UDP header into a stack aligned structure for inspection. */ @@ -284,7 +306,8 @@ decode_udp_ip_header(struct interface_info *interface, return -1; udp_packets_length_checked++; - if ((upp + ulen) > endbuf) { + /* verify that the payload length from the udp packet fits in the buffer */ + if ((ip_len + ulen) > buflen) { udp_packets_length_overflow++; if (((udp_packets_length_checked > 4) && (udp_packets_length_overflow != 0)) &&
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor