From: Thomas Markwalder Date: Thu, 20 Jun 2019 14:43:10 +0000 (-0400) Subject: [v4_1_esv_r15_p1] Added fixes for CVE-2018-5733 and CVE-2018-5732 X-Git-Tag: v4_1_esv_r16b1~9 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=4584b794bed3b54df1b065db165e0f01696670d1;p=thirdparty%2Fdhcp.git [v4_1_esv_r15_p1] Added fixes for CVE-2018-5733 and CVE-2018-5732 modified: RELNOTES modified: common/options.c --- diff --git a/RELNOTES b/RELNOTES index edb258d79..eba2bf6ae 100644 --- a/RELNOTES +++ b/RELNOTES @@ -117,6 +117,18 @@ dhcp-users@lists.isc.org. Thanks to Peter Lewis for requesting this change. [ISC-Bugs 47062] +! Option reference count was not correctly decremented in error path + when parsing buffer for options. Reported by Felix Wilhelm, Google + Security Team. + [ISC-Bugs #47140] + CVE: CVE-2018-5733 + +! Corrected an issue where large sized 'X/x' format options were causing + option handling logic to overwrite memory when expanding them to human + readable form. Reported by Felix Wilhelm, Google Security Team. + [ISC-Bugs #47139] + CVE: CVE-2018-5732 + Changes since 4.1-ESV-R15b1 - None diff --git a/common/options.c b/common/options.c index a136cd5c5..5b4f17d95 100644 --- a/common/options.c +++ b/common/options.c @@ -3,7 +3,7 @@ DHCP options parsing and reassembly. */ /* - * Copyright (c) 2004-2017 by Internet Systems Consortium, Inc. ("ISC") + * Copyright (c) 2004-2018 by Internet Systems Consortium, Inc. ("ISC") * Copyright (c) 1995-2003 by Internet Software Consortium * * Permission to use, copy, modify, and distribute this software for any @@ -177,6 +177,8 @@ int parse_option_buffer (options, buffer, length, universe) /* If the length is outrageous, the options are bad. */ if (offset + len > length) { + /* Avoid reference count overflow */ + option_dereference(&option, MDL); reason = "option length exceeds option buffer length"; bogus: log_error("parse_option_buffer: malformed option " @@ -1751,7 +1753,8 @@ format_min_length(format, oc) /* Format the specified option so that a human can easily read it. */ - +/* Maximum pretty printed size */ +#define MAX_OUTPUT_SIZE 32*1024 const char *pretty_print_option (option, data, len, emit_commas, emit_quotes) struct option *option; const unsigned char *data; @@ -1759,8 +1762,9 @@ const char *pretty_print_option (option, data, len, emit_commas, emit_quotes) int emit_commas; int emit_quotes; { - static char optbuf [32768]; /* XXX */ - static char *endbuf = &optbuf[sizeof(optbuf)]; + /* We add 128 byte pad so we don't have to add checks everywhere. */ + static char optbuf [MAX_OUTPUT_SIZE + 128]; /* XXX */ + static char *endbuf = optbuf + MAX_OUTPUT_SIZE; int hunksize = 0; int opthunk = 0; int hunkinc = 0; @@ -2187,6 +2191,12 @@ const char *pretty_print_option (option, data, len, emit_commas, emit_quotes) fmtbuf [j]); } op += strlen (op); + if (op >= endbuf) { + log_error ("Option data exceeds" + " maximum size %d", MAX_OUTPUT_SIZE); + return (""); + } + if (dp == data + len) break; if (j + 1 < numelem && comma != ':')