dhcp: CVE-2015-8605

ISC DHCP allows remote attackers to cause a denial of service (application crash) via an invalid length field in a UDP IPv4 packet. (From OE-Core rev: f9739b7fa8d08521dc5e42a169753d4c75074ec7) Signed-off-by: Mariano Lopez <mariano.lopez@linux.intel.com> Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: Mariano Lopez <mariano.lopez@linux.intel.com> 2016-02-26 14:34:17 +0000
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2016-03-02 22:39:42 +0000
commit: 89140b0883eb2007330c45edad0568f3e70fca55 (patch)
tree: 44337e036e93957fa1ec425c8d0ba3795901c52f
parent: 6ccd8cdeb5af01aa44faa56b634140670edc6712 (diff)
download: poky-89140b0883eb2007330c45edad0568f3e70fca55.tar.gz
2 files changed, 100 insertions, 0 deletions
diff --git a/meta/recipes-connectivity/dhcp/dhcp/CVE-2015-8605.patch b/meta/recipes-connectivity/dhcp/dhcp/CVE-2015-8605.patch
new file mode 100644
index 0000000000..923d5d5c58
--- /dev/null
+++ b/meta/recipes-connectivity/dhcp/dhcp/CVE-2015-8605.patch
@@ -0,0 +1,99 @@
+Solves CVE-2015-8605 that caused DoS when an invalid lenght field in IPv4 UDP
+was recived by the server.
+Upstream-Status: Backport
+CVE: CVE-2015-8605
+Signed-off-by: Mariano Lopez <mariano.lopez@linux.intel.com>
+=======================================================================
+diff --git a/common/packet.c b/common/packet.c
+index b530432..e600e37 100644
+--- a/common/packet.c
+++ b/common/packet.c
+@@ -220,7 +220,28 @@ ssize_t decode_hw_header (interface, buf, bufix, from)
+        }
+ }
+ 
+-/* UDP header and IP header decoded together for convenience. */
+/*!
+ *
+ * \brief UDP header and IP header decoded together for convenience.
+ *
+ * Attempt to decode the UDP and IP headers and, if necessary, checksum
+ * the packet.
+ *
+ * \param inteface - the interface on which the packet was recevied
+ * \param buf - a pointer to the buffer for the received packet
+ * \param bufix - where to start processing the buffer, previous
+ *                routines may have processed parts of the buffer already
+ * \param from - space to return the address of the packet sender
+ * \param buflen - remaining length of the buffer, this will have been
+ *                 decremented by bufix by the caller
+ * \param rbuflen - space to return the length of the payload from the udp
+ *                  header
+ * \param csum_ready - indication if the checksum is valid for use
+ *                     non-zero indicates the checksum should be validated
+ *
+ * \return - the index to the first byte of the udp payload (that is the
+ *           start of the DHCP packet
+ */
+ 
+ ssize_t
+ decode_udp_ip_header(struct interface_info *interface,
+@@ -231,7 +252,7 @@ decode_udp_ip_header(struct interface_info *interface,
+   unsigned char *data;
+   struct ip ip;
+   struct udphdr udp;
+-  unsigned char *upp, *endbuf;
+  unsigned char *upp;
+   u_int32_t ip_len, ulen, pkt_len;
+   static unsigned int ip_packets_seen = 0;
+   static unsigned int ip_packets_bad_checksum = 0;
+@@ -241,11 +262,8 @@ decode_udp_ip_header(struct interface_info *interface,
+   static unsigned int udp_packets_length_overflow = 0;
+   unsigned len;
+ 
+-  /* Designate the end of the input buffer for bounds checks. */
+-  endbuf = buf + bufix + buflen;
+-
+   /* Assure there is at least an IP header there. */
+-  if ((buf + bufix + sizeof(ip)) > endbuf)
+  if (sizeof(ip) > buflen)
+          return -1;
+ 
+   /* Copy the IP header into a stack aligned structure for inspection.
+@@ -257,13 +275,17 @@ decode_udp_ip_header(struct interface_info *interface,
+   ip_len = (*upp & 0x0f) << 2;
+   upp += ip_len;
+ 
+-  /* Check the IP packet length. */
+  /* Check packet lengths are within the buffer:
+   * first the ip header (ip_len)
+   * then the packet length from the ip header (pkt_len)
+   * then the udp header (ip_len + sizeof(udp)
+   * We are liberal in what we accept, the udp payload should fit within
+   * pkt_len, but we only check against the full buffer size.
+   */
+   pkt_len = ntohs(ip.ip_len);
+-  if (pkt_len > buflen)
+-       return -1;
+-
+-  /* Assure after ip_len bytes that there is enough room for a UDP header. */
+-  if ((upp + sizeof(udp)) > endbuf)
+  if ((ip_len > buflen) ||
+      (pkt_len > buflen) ||
+      ((ip_len + sizeof(udp)) > buflen))
+          return -1;
+ 
+   /* Copy the UDP header into a stack aligned structure for inspection. */
+@@ -284,7 +306,8 @@ decode_udp_ip_header(struct interface_info *interface,
+        return -1;
+ 
+   udp_packets_length_checked++;
+-  if ((upp + ulen) > endbuf) {
+  /* verify that the payload length from the udp packet fits in the buffer */
+  if ((ip_len + ulen) > buflen) {
+        udp_packets_length_overflow++;
+        if (((udp_packets_length_checked > 4) &&
+             (udp_packets_length_overflow != 0)) &&
diff --git a/meta/recipes-connectivity/dhcp/dhcp_4.3.3.bb b/meta/recipes-connectivity/dhcp/dhcp_4.3.3.bb
index 6fcdddcf89..ee1e082c84 100644
--- a/meta/recipes-connectivity/dhcp/dhcp_4.3.3.bb
+++ b/meta/recipes-connectivity/dhcp/dhcp_4.3.3.bb
@@ -6,6 +6,7 @@ SRC_URI += "file://dhcp-3.0.3-dhclient-dbus.patch;striplevel=0 \
            file://fixsepbuild.patch \
            file://dhclient-script-drop-resolv.conf.dhclient.patch \
            file://replace-ifconfig-route.patch \
+            file://CVE-2015-8605.patch \
           "
 SRC_URI[md5sum] = "c5577b09c9017cdd319a11ff6364268e"
author	Mariano Lopez <mariano.lopez@linux.intel.com>	2016-02-26 14:34:17 +0000
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2016-03-02 22:39:42 +0000
commit	89140b0883eb2007330c45edad0568f3e70fca55 (patch)
tree	44337e036e93957fa1ec425c8d0ba3795901c52f
parent	6ccd8cdeb5af01aa44faa56b634140670edc6712 (diff)
download	poky-89140b0883eb2007330c45edad0568f3e70fca55.tar.gz

diff --git a/meta/recipes-connectivity/dhcp/dhcp/CVE-2015-8605.patch b/meta/recipes-connectivity/dhcp/dhcp/CVE-2015-8605.patch new file mode 100644 index 0000000000..923d5d5c58 --- /dev/null +++ b/meta/recipes-connectivity/dhcp/dhcp/CVE-2015-8605.patch
@@ -0,0 +1,99 @@
		1	Solves CVE-2015-8605 that caused DoS when an invalid lenght field in IPv4 UDP
		2	was recived by the server.
		3
		4	Upstream-Status: Backport
		5	CVE: CVE-2015-8605
		6
		7	Signed-off-by: Mariano Lopez <mariano.lopez@linux.intel.com>
		8
		9	=======================================================================
		10	diff --git a/common/packet.c b/common/packet.c
		11	index b530432..e600e37 100644
		12	--- a/common/packet.c
		13	+++ b/common/packet.c
		14	@@ -220,7 +220,28 @@ ssize_t decode_hw_header (interface, buf, bufix, from)
		15	}
		16	}
		17
		18	-/* UDP header and IP header decoded together for convenience. */
		19	+/*!
		20	+ *
		21	+ * \brief UDP header and IP header decoded together for convenience.
		22	+ *
		23	+ * Attempt to decode the UDP and IP headers and, if necessary, checksum
		24	+ * the packet.
		25	+ *
		26	+ * \param inteface - the interface on which the packet was recevied
		27	+ * \param buf - a pointer to the buffer for the received packet
		28	+ * \param bufix - where to start processing the buffer, previous
		29	+ * routines may have processed parts of the buffer already
		30	+ * \param from - space to return the address of the packet sender
		31	+ * \param buflen - remaining length of the buffer, this will have been
		32	+ * decremented by bufix by the caller
		33	+ * \param rbuflen - space to return the length of the payload from the udp
		34	+ * header
		35	+ * \param csum_ready - indication if the checksum is valid for use
		36	+ * non-zero indicates the checksum should be validated
		37	+ *
		38	+ * \return - the index to the first byte of the udp payload (that is the
		39	+ * start of the DHCP packet
		40	+ */
		41
		42	ssize_t
		43	decode_udp_ip_header(struct interface_info *interface,
		44	@@ -231,7 +252,7 @@ decode_udp_ip_header(struct interface_info *interface,
		45	unsigned char *data;
		46	struct ip ip;
		47	struct udphdr udp;
		48	- unsigned char upp, endbuf;
		49	+ unsigned char *upp;
		50	u_int32_t ip_len, ulen, pkt_len;
		51	static unsigned int ip_packets_seen = 0;
		52	static unsigned int ip_packets_bad_checksum = 0;
		53	@@ -241,11 +262,8 @@ decode_udp_ip_header(struct interface_info *interface,
		54	static unsigned int udp_packets_length_overflow = 0;
		55	unsigned len;
		56
		57	- /* Designate the end of the input buffer for bounds checks. */
		58	- endbuf = buf + bufix + buflen;
		59	-
		60	/* Assure there is at least an IP header there. */
		61	- if ((buf + bufix + sizeof(ip)) > endbuf)
		62	+ if (sizeof(ip) > buflen)
		63	return -1;
		64
		65	/* Copy the IP header into a stack aligned structure for inspection.
		66	@@ -257,13 +275,17 @@ decode_udp_ip_header(struct interface_info *interface,
		67	ip_len = (*upp & 0x0f) << 2;
		68	upp += ip_len;
		69
		70	- /* Check the IP packet length. */
		71	+ /* Check packet lengths are within the buffer:
		72	+ * first the ip header (ip_len)
		73	+ * then the packet length from the ip header (pkt_len)
		74	+ * then the udp header (ip_len + sizeof(udp)
		75	+ * We are liberal in what we accept, the udp payload should fit within
		76	+ * pkt_len, but we only check against the full buffer size.
		77	+ */
		78	pkt_len = ntohs(ip.ip_len);
		79	- if (pkt_len > buflen)
		80	- return -1;
		81	-
		82	- /* Assure after ip_len bytes that there is enough room for a UDP header. */
		83	- if ((upp + sizeof(udp)) > endbuf)
		84	+ if ((ip_len > buflen) \|\|
		85	+ (pkt_len > buflen) \|\|
		86	+ ((ip_len + sizeof(udp)) > buflen))
		87	return -1;
		88
		89	/* Copy the UDP header into a stack aligned structure for inspection. */
		90	@@ -284,7 +306,8 @@ decode_udp_ip_header(struct interface_info *interface,
		91	return -1;
		92
		93	udp_packets_length_checked++;
		94	- if ((upp + ulen) > endbuf) {
		95	+ /* verify that the payload length from the udp packet fits in the buffer */
		96	+ if ((ip_len + ulen) > buflen) {
		97	udp_packets_length_overflow++;
		98	if (((udp_packets_length_checked > 4) &&
		99	(udp_packets_length_overflow != 0)) &&


diff --git a/meta/recipes-connectivity/dhcp/dhcp_4.3.3.bb b/meta/recipes-connectivity/dhcp/dhcp_4.3.3.bb index 6fcdddcf89..ee1e082c84 100644 --- a/meta/recipes-connectivity/dhcp/dhcp_4.3.3.bb +++ b/meta/recipes-connectivity/dhcp/dhcp_4.3.3.bb
@@ -6,6 +6,7 @@ SRC_URI += "file://dhcp-3.0.3-dhclient-dbus.patch;striplevel=0 \
6	file://fixsepbuild.patch \	6	file://fixsepbuild.patch \
7	file://dhclient-script-drop-resolv.conf.dhclient.patch \	7	file://dhclient-script-drop-resolv.conf.dhclient.patch \
8	file://replace-ifconfig-route.patch \	8	file://replace-ifconfig-route.patch \
		9	file://CVE-2015-8605.patch \
9	"	10	"
10		11
11	SRC_URI[md5sum] = "c5577b09c9017cdd319a11ff6364268e"	12	SRC_URI[md5sum] = "c5577b09c9017cdd319a11ff6364268e"