diff options
author | Mariano Lopez <mariano.lopez@linux.intel.com> | 2016-02-26 14:34:17 +0000 |
---|---|---|
committer | Richard Purdie <richard.purdie@linuxfoundation.org> | 2016-03-02 22:39:42 +0000 |
commit | 89140b0883eb2007330c45edad0568f3e70fca55 (patch) | |
tree | 44337e036e93957fa1ec425c8d0ba3795901c52f /meta/recipes-connectivity | |
parent | 6ccd8cdeb5af01aa44faa56b634140670edc6712 (diff) | |
download | poky-89140b0883eb2007330c45edad0568f3e70fca55.tar.gz |
dhcp: CVE-2015-8605
ISC DHCP allows remote attackers to cause a denial of
service (application crash) via an invalid length field
in a UDP IPv4 packet.
(From OE-Core rev: f9739b7fa8d08521dc5e42a169753d4c75074ec7)
Signed-off-by: Mariano Lopez <mariano.lopez@linux.intel.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Diffstat (limited to 'meta/recipes-connectivity')
-rw-r--r-- | meta/recipes-connectivity/dhcp/dhcp/CVE-2015-8605.patch | 99 | ||||
-rw-r--r-- | meta/recipes-connectivity/dhcp/dhcp_4.3.3.bb | 1 |
2 files changed, 100 insertions, 0 deletions
diff --git a/meta/recipes-connectivity/dhcp/dhcp/CVE-2015-8605.patch b/meta/recipes-connectivity/dhcp/dhcp/CVE-2015-8605.patch new file mode 100644 index 0000000000..923d5d5c58 --- /dev/null +++ b/meta/recipes-connectivity/dhcp/dhcp/CVE-2015-8605.patch | |||
@@ -0,0 +1,99 @@ | |||
1 | Solves CVE-2015-8605 that caused DoS when an invalid lenght field in IPv4 UDP | ||
2 | was recived by the server. | ||
3 | |||
4 | Upstream-Status: Backport | ||
5 | CVE: CVE-2015-8605 | ||
6 | |||
7 | Signed-off-by: Mariano Lopez <mariano.lopez@linux.intel.com> | ||
8 | |||
9 | ======================================================================= | ||
10 | diff --git a/common/packet.c b/common/packet.c | ||
11 | index b530432..e600e37 100644 | ||
12 | --- a/common/packet.c | ||
13 | +++ b/common/packet.c | ||
14 | @@ -220,7 +220,28 @@ ssize_t decode_hw_header (interface, buf, bufix, from) | ||
15 | } | ||
16 | } | ||
17 | |||
18 | -/* UDP header and IP header decoded together for convenience. */ | ||
19 | +/*! | ||
20 | + * | ||
21 | + * \brief UDP header and IP header decoded together for convenience. | ||
22 | + * | ||
23 | + * Attempt to decode the UDP and IP headers and, if necessary, checksum | ||
24 | + * the packet. | ||
25 | + * | ||
26 | + * \param inteface - the interface on which the packet was recevied | ||
27 | + * \param buf - a pointer to the buffer for the received packet | ||
28 | + * \param bufix - where to start processing the buffer, previous | ||
29 | + * routines may have processed parts of the buffer already | ||
30 | + * \param from - space to return the address of the packet sender | ||
31 | + * \param buflen - remaining length of the buffer, this will have been | ||
32 | + * decremented by bufix by the caller | ||
33 | + * \param rbuflen - space to return the length of the payload from the udp | ||
34 | + * header | ||
35 | + * \param csum_ready - indication if the checksum is valid for use | ||
36 | + * non-zero indicates the checksum should be validated | ||
37 | + * | ||
38 | + * \return - the index to the first byte of the udp payload (that is the | ||
39 | + * start of the DHCP packet | ||
40 | + */ | ||
41 | |||
42 | ssize_t | ||
43 | decode_udp_ip_header(struct interface_info *interface, | ||
44 | @@ -231,7 +252,7 @@ decode_udp_ip_header(struct interface_info *interface, | ||
45 | unsigned char *data; | ||
46 | struct ip ip; | ||
47 | struct udphdr udp; | ||
48 | - unsigned char *upp, *endbuf; | ||
49 | + unsigned char *upp; | ||
50 | u_int32_t ip_len, ulen, pkt_len; | ||
51 | static unsigned int ip_packets_seen = 0; | ||
52 | static unsigned int ip_packets_bad_checksum = 0; | ||
53 | @@ -241,11 +262,8 @@ decode_udp_ip_header(struct interface_info *interface, | ||
54 | static unsigned int udp_packets_length_overflow = 0; | ||
55 | unsigned len; | ||
56 | |||
57 | - /* Designate the end of the input buffer for bounds checks. */ | ||
58 | - endbuf = buf + bufix + buflen; | ||
59 | - | ||
60 | /* Assure there is at least an IP header there. */ | ||
61 | - if ((buf + bufix + sizeof(ip)) > endbuf) | ||
62 | + if (sizeof(ip) > buflen) | ||
63 | return -1; | ||
64 | |||
65 | /* Copy the IP header into a stack aligned structure for inspection. | ||
66 | @@ -257,13 +275,17 @@ decode_udp_ip_header(struct interface_info *interface, | ||
67 | ip_len = (*upp & 0x0f) << 2; | ||
68 | upp += ip_len; | ||
69 | |||
70 | - /* Check the IP packet length. */ | ||
71 | + /* Check packet lengths are within the buffer: | ||
72 | + * first the ip header (ip_len) | ||
73 | + * then the packet length from the ip header (pkt_len) | ||
74 | + * then the udp header (ip_len + sizeof(udp) | ||
75 | + * We are liberal in what we accept, the udp payload should fit within | ||
76 | + * pkt_len, but we only check against the full buffer size. | ||
77 | + */ | ||
78 | pkt_len = ntohs(ip.ip_len); | ||
79 | - if (pkt_len > buflen) | ||
80 | - return -1; | ||
81 | - | ||
82 | - /* Assure after ip_len bytes that there is enough room for a UDP header. */ | ||
83 | - if ((upp + sizeof(udp)) > endbuf) | ||
84 | + if ((ip_len > buflen) || | ||
85 | + (pkt_len > buflen) || | ||
86 | + ((ip_len + sizeof(udp)) > buflen)) | ||
87 | return -1; | ||
88 | |||
89 | /* Copy the UDP header into a stack aligned structure for inspection. */ | ||
90 | @@ -284,7 +306,8 @@ decode_udp_ip_header(struct interface_info *interface, | ||
91 | return -1; | ||
92 | |||
93 | udp_packets_length_checked++; | ||
94 | - if ((upp + ulen) > endbuf) { | ||
95 | + /* verify that the payload length from the udp packet fits in the buffer */ | ||
96 | + if ((ip_len + ulen) > buflen) { | ||
97 | udp_packets_length_overflow++; | ||
98 | if (((udp_packets_length_checked > 4) && | ||
99 | (udp_packets_length_overflow != 0)) && | ||
diff --git a/meta/recipes-connectivity/dhcp/dhcp_4.3.3.bb b/meta/recipes-connectivity/dhcp/dhcp_4.3.3.bb index 6fcdddcf89..ee1e082c84 100644 --- a/meta/recipes-connectivity/dhcp/dhcp_4.3.3.bb +++ b/meta/recipes-connectivity/dhcp/dhcp_4.3.3.bb | |||
@@ -6,6 +6,7 @@ SRC_URI += "file://dhcp-3.0.3-dhclient-dbus.patch;striplevel=0 \ | |||
6 | file://fixsepbuild.patch \ | 6 | file://fixsepbuild.patch \ |
7 | file://dhclient-script-drop-resolv.conf.dhclient.patch \ | 7 | file://dhclient-script-drop-resolv.conf.dhclient.patch \ |
8 | file://replace-ifconfig-route.patch \ | 8 | file://replace-ifconfig-route.patch \ |
9 | file://CVE-2015-8605.patch \ | ||
9 | " | 10 | " |
10 | 11 | ||
11 | SRC_URI[md5sum] = "c5577b09c9017cdd319a11ff6364268e" | 12 | SRC_URI[md5sum] = "c5577b09c9017cdd319a11ff6364268e" |