dhcpcd: Fix buffer overflow at startup

Fixes: #13252 - dhcpcd fails in next
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

diff --git a/lfs/dhcpcd b/lfs/dhcpcd
index 909de6e57ae4ed7eb28c38f14243aa6ef7b9e370..2323b6104a52314d48158039d44cffdcff37e9b4 100644 (file)
--- a/lfs/dhcpcd
+++ b/lfs/dhcpcd
@@ -71,6 +71,8 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
        @$(PREBUILD)
        @rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar axf $(DIR_DL)/$(DL_FILE)
        cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/dhcpcd-10.0.2-Allow-free-selection-of-MTU-by-the-user.patch
+       cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/dhcpcd-10.0.2-fix-off-by-one-overflow-when-read.patch
+       cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/dhcpcd-10.0.2-privsep-fix-strlcpy-overflow-in-psp-ifname.patch
        cd $(DIR_APP) && ./configure \
                        --prefix="" \
                        --sysconfdir=/var/ipfire/dhcpc \

diff --git a/src/patches/dhcpcd-10.0.2-fix-off-by-one-overflow-when-read.patch b/src/patches/dhcpcd-10.0.2-fix-off-by-one-overflow-when-read.patch
new file mode 100644 (file)
index 0000000..9e9cf36
--- /dev/null
+++ b/src/patches/dhcpcd-10.0.2-fix-off-by-one-overflow-when-read.patch
@@ -0,0 +1,26 @@
+From f798bf23af8e5a0eae38931912e2b67e1d45aca4 Mon Sep 17 00:00:00 2001
+From: Tobias Heider <tobhe@users.noreply.github.com>
+Date: Sat, 12 Aug 2023 21:59:21 +0200
+Subject: [PATCH] dhcpcd: Fix off-by-one overflow when read() writes full
+ BUFSIZ (#236)
+
+---
+ src/dhcpcd.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/dhcpcd.c b/src/dhcpcd.c
+index e06733d3..688a3a6d 100644
+--- a/src/dhcpcd.c
++++ b/src/dhcpcd.c
+@@ -1822,7 +1822,7 @@ dhcpcd_stderr_cb(void *arg, unsigned short events)
+       if (!(events & ELE_READ))
+               return;
+ 
+-      len = read(ctx->stderr_fd, log, sizeof(log));
++      len = read(ctx->stderr_fd, log, sizeof(log) - 1);
+       if (len == -1) {
+               if (errno != ECONNRESET)
+                       logerr(__func__);
+-- 
+2.39.2
+

diff --git a/src/patches/dhcpcd-10.0.2-privsep-fix-strlcpy-overflow-in-psp-ifname.patch b/src/patches/dhcpcd-10.0.2-privsep-fix-strlcpy-overflow-in-psp-ifname.patch
new file mode 100644 (file)
index 0000000..07c8701
--- /dev/null
+++ b/src/patches/dhcpcd-10.0.2-privsep-fix-strlcpy-overflow-in-psp-ifname.patch
@@ -0,0 +1,28 @@
+From 1bd8fc7d4b34f752a32709d277a897e5ad202d97 Mon Sep 17 00:00:00 2001
+From: Tobias Heider <tobhe@users.noreply.github.com>
+Date: Tue, 15 Aug 2023 18:06:48 +0200
+Subject: [PATCH] privsep: fix strlcpy overflow in psp_ifname (#239)
+
+When running our Ubuntu tests with libc6 and strlcpy overflow checks
+enabled we found that the wrong size is passed to strlcpy resulting
+in a crash because of an overflow.
+---
+ src/privsep.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/privsep.c b/src/privsep.c
+index b11c0351..cfe54742 100644
+--- a/src/privsep.c
++++ b/src/privsep.c
+@@ -1200,7 +1200,7 @@ ps_newprocess(struct dhcpcd_ctx *ctx, struct ps_id *psid)
+ #endif
+ 
+       if (!(ctx->options & DHCPCD_MANAGER))
+-              strlcpy(psp->psp_ifname, ctx->ifv[0], sizeof(psp->psp_name));
++              strlcpy(psp->psp_ifname, ctx->ifv[0], sizeof(psp->psp_ifname));
+       TAILQ_INSERT_TAIL(&ctx->ps_processes, psp, next);
+       return psp;
+ }
+-- 
+2.39.2
+