diff options
author | Catalin Enache <catalin.enache@windriver.com> | 2016-04-18 15:52:16 +0300 |
---|---|---|
committer | Richard Purdie <richard.purdie@linuxfoundation.org> | 2016-04-18 16:28:22 +0100 |
commit | 4946ecfb42d71c35c1421061479731a4ea88f762 (patch) | |
tree | 5c3c1d546213d47381ad37240b2cdbb8fa5c11ef | |
parent | c219c6d5826b6f1002f5486eceeb1cc8990d7c28 (diff) | |
download | poky-4946ecfb42d71c35c1421061479731a4ea88f762.tar.gz |
dhcp: CVE-2016-2774
ISC DHCP 4.1.x before 4.1-ESV-R13 and 4.2.x and 4.3.x before
4.3.4 does not restrict the number of concurrent TCP sessions,
which allows remote attackers to cause a denial of service
(INSIST assertion failure or request-processing outage)
by establishing many sessions.
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-2774
(From OE-Core rev: 2fc84114c6323bf1e3d3598af52dd1523168c9fc)
Signed-off-by: Catalin Enache <catalin.enache@windriver.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
-rw-r--r-- | meta/recipes-connectivity/dhcp/dhcp/CVE-2016-2774.patch | 65 | ||||
-rw-r--r-- | meta/recipes-connectivity/dhcp/dhcp_4.3.3.bb | 1 |
2 files changed, 66 insertions, 0 deletions
diff --git a/meta/recipes-connectivity/dhcp/dhcp/CVE-2016-2774.patch b/meta/recipes-connectivity/dhcp/dhcp/CVE-2016-2774.patch new file mode 100644 index 0000000000..4836dbc2ac --- /dev/null +++ b/meta/recipes-connectivity/dhcp/dhcp/CVE-2016-2774.patch | |||
@@ -0,0 +1,65 @@ | |||
1 | From b9f56d578ebfd649b5d829960540859ac6ca931c Mon Sep 17 00:00:00 2001 | ||
2 | From: Catalin Enache <catalin.enache@windriver.com> | ||
3 | Date: Tue, 12 Apr 2016 18:23:31 +0300 | ||
4 | Subject: [PATCH] Add patch to limit the value of an fd we accept for a | ||
5 | connection. | ||
6 | |||
7 | By limiting the highest value we accept for an fd we limit the number | ||
8 | of connections. | ||
9 | |||
10 | Upstream-Status: Backport | ||
11 | CVE: CVE-2016-2774 | ||
12 | |||
13 | Author: Shawn Routhier <sar@isc.org> | ||
14 | Signed-off-by: Catalin Enache <catalin.enache@windriver.com> | ||
15 | --- | ||
16 | includes/site.h | 6 ++++++ | ||
17 | omapip/listener.c | 9 +++++++-- | ||
18 | 3 files changed, 18 insertions(+), 2 deletions(-) | ||
19 | |||
20 | diff --git a/includes/site.h b/includes/site.h | ||
21 | index 9c33de3..df020c8 100644 | ||
22 | --- a/includes/site.h | ||
23 | +++ b/includes/site.h | ||
24 | @@ -290,6 +290,12 @@ | ||
25 | this option will be removed at some time. */ | ||
26 | /* #define INCLUDE_OLD_DHCP_ISC_ERROR_CODES */ | ||
27 | |||
28 | +/* Limit the value of a file descriptor the serve will use | ||
29 | + when accepting a connecting request. This can be used to | ||
30 | + limit the number of TCP connections that the server will | ||
31 | + allow at one time. A value of 0 means there is no limit.*/ | ||
32 | +#define MAX_FD_VALUE 200 | ||
33 | + | ||
34 | /* Include definitions for various options. In general these | ||
35 | should be left as is, but if you have already defined one | ||
36 | of these and prefer your definition you can comment the | ||
37 | diff --git a/omapip/listener.c b/omapip/listener.c | ||
38 | index 8bdcdbd..61473cf 100644 | ||
39 | --- a/omapip/listener.c | ||
40 | +++ b/omapip/listener.c | ||
41 | @@ -3,7 +3,7 @@ | ||
42 | Subroutines that support the generic listener object. */ | ||
43 | |||
44 | /* | ||
45 | - * Copyright (c) 2012,2014 by Internet Systems Consortium, Inc. ("ISC") | ||
46 | + * Copyright (c) 2012,2014,2016 by Internet Systems Consortium, Inc. ("ISC") | ||
47 | * Copyright (c) 2004,2007,2009 by Internet Systems Consortium, Inc. ("ISC") | ||
48 | * Copyright (c) 1999-2003 by Internet Software Consortium | ||
49 | * | ||
50 | @@ -233,7 +233,12 @@ isc_result_t omapi_accept (omapi_object_t *h) | ||
51 | return ISC_R_NORESOURCES; | ||
52 | return ISC_R_UNEXPECTED; | ||
53 | } | ||
54 | - | ||
55 | + | ||
56 | + if ((MAX_FD_VALUE != 0) && (socket > MAX_FD_VALUE)) { | ||
57 | + close(socket); | ||
58 | + return (ISC_R_NORESOURCES); | ||
59 | + } | ||
60 | + | ||
61 | #if defined (TRACING) | ||
62 | /* If we're recording a trace, remember the connection. */ | ||
63 | if (trace_record ()) { | ||
64 | -- | ||
65 | 2.7.4 | ||
diff --git a/meta/recipes-connectivity/dhcp/dhcp_4.3.3.bb b/meta/recipes-connectivity/dhcp/dhcp_4.3.3.bb index 970617ff92..4e8cd272b8 100644 --- a/meta/recipes-connectivity/dhcp/dhcp_4.3.3.bb +++ b/meta/recipes-connectivity/dhcp/dhcp_4.3.3.bb | |||
@@ -8,6 +8,7 @@ SRC_URI += "file://dhcp-3.0.3-dhclient-dbus.patch;striplevel=0 \ | |||
8 | file://replace-ifconfig-route.patch \ | 8 | file://replace-ifconfig-route.patch \ |
9 | file://CVE-2015-8605.patch \ | 9 | file://CVE-2015-8605.patch \ |
10 | file://0001-site.h-enable-gentle-shutdown.patch \ | 10 | file://0001-site.h-enable-gentle-shutdown.patch \ |
11 | file://CVE-2016-2774.patch \ | ||
11 | " | 12 | " |
12 | 13 | ||
13 | SRC_URI[md5sum] = "c5577b09c9017cdd319a11ff6364268e" | 14 | SRC_URI[md5sum] = "c5577b09c9017cdd319a11ff6364268e" |