1 files changed, 101 insertions, 0 deletions
diff --git a/meta/recipes-connectivity/dhcp/dhcp/CVE-2015-8605.patch b/meta/recipes-connectivity/dhcp/dhcp/CVE-2015-8605.patch
new file mode 100644
index 0000000000..05f1fa9fd8
--- /dev/null
+++ b/meta/recipes-connectivity/dhcp/dhcp/CVE-2015-8605.patch
@@ -0,0 +1,101 @@
+Solves CVE-2015-8605 that caused DoS when an invalid length field in IPv4 UDP
+was received by the server.
+Upstream-Status: Backport (v4.3.3p1)
+CVE: CVE-2015-8605
+From: https://source.isc.org/cgi-bin/gitweb.cgi?p=dhcp.git;a=commit;h=4ce21cb6301d665de01c1a6209e40f5f35072c0c
+Signed-off-by: Mariano Lopez <mariano.lopez@linux.intel.com>
+=======================================================================
+diff --git a/common/packet.c b/common/packet.c
+index b530432..e600e37 100644
+--- a/common/packet.c
+++ b/common/packet.c
+@@ -220,7 +220,28 @@ ssize_t decode_hw_header (interface, buf, bufix, from)
+        }
+ }
+ 
+-/* UDP header and IP header decoded together for convenience. */
+/*!
+ *
+ * \brief UDP header and IP header decoded together for convenience.
+ *
+ * Attempt to decode the UDP and IP headers and, if necessary, checksum
+ * the packet.
+ *
+ * \param inteface - the interface on which the packet was recevied
+ * \param buf - a pointer to the buffer for the received packet
+ * \param bufix - where to start processing the buffer, previous
+ *                routines may have processed parts of the buffer already
+ * \param from - space to return the address of the packet sender
+ * \param buflen - remaining length of the buffer, this will have been
+ *                 decremented by bufix by the caller
+ * \param rbuflen - space to return the length of the payload from the udp
+ *                  header
+ * \param csum_ready - indication if the checksum is valid for use
+ *                     non-zero indicates the checksum should be validated
+ *
+ * \return - the index to the first byte of the udp payload (that is the
+ *           start of the DHCP packet
+ */
+ 
+ ssize_t
+ decode_udp_ip_header(struct interface_info *interface,
+@@ -231,7 +252,7 @@ decode_udp_ip_header(struct interface_info *interface,
+   unsigned char *data;
+   struct ip ip;
+   struct udphdr udp;
+-  unsigned char *upp, *endbuf;
+  unsigned char *upp;
+   u_int32_t ip_len, ulen, pkt_len;
+   static unsigned int ip_packets_seen = 0;
+   static unsigned int ip_packets_bad_checksum = 0;
+@@ -241,11 +262,8 @@ decode_udp_ip_header(struct interface_info *interface,
+   static unsigned int udp_packets_length_overflow = 0;
+   unsigned len;
+ 
+-  /* Designate the end of the input buffer for bounds checks. */
+-  endbuf = buf + bufix + buflen;
+-
+   /* Assure there is at least an IP header there. */
+-  if ((buf + bufix + sizeof(ip)) > endbuf)
+  if (sizeof(ip) > buflen)
+          return -1;
+ 
+   /* Copy the IP header into a stack aligned structure for inspection.
+@@ -257,13 +275,17 @@ decode_udp_ip_header(struct interface_info *interface,
+   ip_len = (*upp & 0x0f) << 2;
+   upp += ip_len;
+ 
+-  /* Check the IP packet length. */
+  /* Check packet lengths are within the buffer:
+   * first the ip header (ip_len)
+   * then the packet length from the ip header (pkt_len)
+   * then the udp header (ip_len + sizeof(udp)
+   * We are liberal in what we accept, the udp payload should fit within
+   * pkt_len, but we only check against the full buffer size.
+   */
+   pkt_len = ntohs(ip.ip_len);
+-  if (pkt_len > buflen)
+-       return -1;
+-
+-  /* Assure after ip_len bytes that there is enough room for a UDP header. */
+-  if ((upp + sizeof(udp)) > endbuf)
+  if ((ip_len > buflen) ||
+      (pkt_len > buflen) ||
+      ((ip_len + sizeof(udp)) > buflen))
+          return -1;
+ 
+   /* Copy the UDP header into a stack aligned structure for inspection. */
+@@ -284,7 +306,8 @@ decode_udp_ip_header(struct interface_info *interface,
+        return -1;
+ 
+   udp_packets_length_checked++;
+-  if ((upp + ulen) > endbuf) {
+  /* verify that the payload length from the udp packet fits in the buffer */
+  if ((ip_len + ulen) > buflen) {
+        udp_packets_length_overflow++;
+        if (((udp_packets_length_checked > 4) &&
+             (udp_packets_length_overflow != 0)) &&

diff --git a/meta/recipes-connectivity/dhcp/dhcp/CVE-2015-8605.patch b/meta/recipes-connectivity/dhcp/dhcp/CVE-2015-8605.patch new file mode 100644 index 0000000000..05f1fa9fd8 --- /dev/null +++ b/meta/recipes-connectivity/dhcp/dhcp/CVE-2015-8605.patch
@@ -0,0 +1,101 @@
	1	Solves CVE-2015-8605 that caused DoS when an invalid length field in IPv4 UDP
	2	was received by the server.
	3
	4	Upstream-Status: Backport (v4.3.3p1)
	5	CVE: CVE-2015-8605
	6
	7	From: https://source.isc.org/cgi-bin/gitweb.cgi?p=dhcp.git;a=commit;h=4ce21cb6301d665de01c1a6209e40f5f35072c0c
	8
	9	Signed-off-by: Mariano Lopez <mariano.lopez@linux.intel.com>
	10
	11	=======================================================================
	12	diff --git a/common/packet.c b/common/packet.c
	13	index b530432..e600e37 100644
	14	--- a/common/packet.c
	15	+++ b/common/packet.c
	16	@@ -220,7 +220,28 @@ ssize_t decode_hw_header (interface, buf, bufix, from)
	17	}
	18	}
	19
	20	-/* UDP header and IP header decoded together for convenience. */
	21	+/*!
	22	+ *
	23	+ * \brief UDP header and IP header decoded together for convenience.
	24	+ *
	25	+ * Attempt to decode the UDP and IP headers and, if necessary, checksum
	26	+ * the packet.
	27	+ *
	28	+ * \param inteface - the interface on which the packet was recevied
	29	+ * \param buf - a pointer to the buffer for the received packet
	30	+ * \param bufix - where to start processing the buffer, previous
	31	+ * routines may have processed parts of the buffer already
	32	+ * \param from - space to return the address of the packet sender
	33	+ * \param buflen - remaining length of the buffer, this will have been
	34	+ * decremented by bufix by the caller
	35	+ * \param rbuflen - space to return the length of the payload from the udp
	36	+ * header
	37	+ * \param csum_ready - indication if the checksum is valid for use
	38	+ * non-zero indicates the checksum should be validated
	39	+ *
	40	+ * \return - the index to the first byte of the udp payload (that is the
	41	+ * start of the DHCP packet
	42	+ */
	43
	44	ssize_t
	45	decode_udp_ip_header(struct interface_info *interface,
	46	@@ -231,7 +252,7 @@ decode_udp_ip_header(struct interface_info *interface,
	47	unsigned char *data;
	48	struct ip ip;
	49	struct udphdr udp;
	50	- unsigned char upp, endbuf;
	51	+ unsigned char *upp;
	52	u_int32_t ip_len, ulen, pkt_len;
	53	static unsigned int ip_packets_seen = 0;
	54	static unsigned int ip_packets_bad_checksum = 0;
	55	@@ -241,11 +262,8 @@ decode_udp_ip_header(struct interface_info *interface,
	56	static unsigned int udp_packets_length_overflow = 0;
	57	unsigned len;
	58
	59	- /* Designate the end of the input buffer for bounds checks. */
	60	- endbuf = buf + bufix + buflen;
	61	-
	62	/* Assure there is at least an IP header there. */
	63	- if ((buf + bufix + sizeof(ip)) > endbuf)
	64	+ if (sizeof(ip) > buflen)
	65	return -1;
	66
	67	/* Copy the IP header into a stack aligned structure for inspection.
	68	@@ -257,13 +275,17 @@ decode_udp_ip_header(struct interface_info *interface,
	69	ip_len = (*upp & 0x0f) << 2;
	70	upp += ip_len;
	71
	72	- /* Check the IP packet length. */
	73	+ /* Check packet lengths are within the buffer:
	74	+ * first the ip header (ip_len)
	75	+ * then the packet length from the ip header (pkt_len)
	76	+ * then the udp header (ip_len + sizeof(udp)
	77	+ * We are liberal in what we accept, the udp payload should fit within
	78	+ * pkt_len, but we only check against the full buffer size.
	79	+ */
	80	pkt_len = ntohs(ip.ip_len);
	81	- if (pkt_len > buflen)
	82	- return -1;
	83	-
	84	- /* Assure after ip_len bytes that there is enough room for a UDP header. */
	85	- if ((upp + sizeof(udp)) > endbuf)
	86	+ if ((ip_len > buflen) \|\|
	87	+ (pkt_len > buflen) \|\|
	88	+ ((ip_len + sizeof(udp)) > buflen))
	89	return -1;
	90
	91	/* Copy the UDP header into a stack aligned structure for inspection. */
	92	@@ -284,7 +306,8 @@ decode_udp_ip_header(struct interface_info *interface,
	93	return -1;
	94
	95	udp_packets_length_checked++;
	96	- if ((upp + ulen) > endbuf) {
	97	+ /* verify that the payload length from the udp packet fits in the buffer */
	98	+ if ((ip_len + ulen) > buflen) {
	99	udp_packets_length_overflow++;
	100	if (((udp_packets_length_checked > 4) &&
	101	(udp_packets_length_overflow != 0)) &&