From: Shawn Routhier Date: Wed, 27 Jun 2012 21:33:25 +0000 (+0000) Subject: When attempting to convert a DUID from a client id option X-Git-Tag: v4_3_0a1~83 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=e563ec2e5898119b6af8421f30d3513947348ceb;p=thirdparty%2Fdhcp.git When attempting to convert a DUID from a client id option into a hardware address handle unexpected client ids properly. Thanks to Markus Hietava of Codenomicon CROSS project for the finding this issue and CERT-FI for vulnerability coordination. [ISC-Bugs #29852] CVE: CVE-2012-3570 --- diff --git a/RELNOTES b/RELNOTES index 85ed82c68..53cddaffe 100644 --- a/RELNOTES +++ b/RELNOTES @@ -90,6 +90,13 @@ work on other platforms. Please report any problems and suggested fixes to [ISC-Bugs #29851] CVE: CVE-2012-3571 +! When attempting to convert a DUID from a client id option + into a hardware address handle unexpected client ids properly. + Thanks to Markus Hietava of Codenomicon CROSS project for the + finding this issue and CERT-FI for vulnerability coordination. + [ISC-Bugs #29852] + CVE: CVE-2012-3570 + Changes since 4.2.3 ! Add a check for a null pointer before calling the regexec function. diff --git a/includes/dhcpd.h b/includes/dhcpd.h index 6aaa6ed0b..b8792fae2 100644 --- a/includes/dhcpd.h +++ b/includes/dhcpd.h @@ -432,11 +432,17 @@ struct packet { isc_boolean_t unicast; }; -/* A network interface's MAC address. */ +/* + * A network interface's MAC address. + * 20 bytes for the hardware address + * and 1 byte for the type tag + */ + +#define HARDWARE_ADDR_LEN 20 struct hardware { u_int8_t hlen; - u_int8_t hbuf[21]; + u_int8_t hbuf[HARDWARE_ADDR_LEN + 1]; }; #if defined(LDAP_CONFIGURATION) diff --git a/server/dhcpv6.c b/server/dhcpv6.c index 9d5fa1d1a..d763c954e 100644 --- a/server/dhcpv6.c +++ b/server/dhcpv6.c @@ -6037,7 +6037,7 @@ find_hosts_by_duid_chaddr(struct host_decl **host, break; } - if (hlen == 0) + if ((hlen == 0) || (hlen > HARDWARE_ADDR_LEN)) return 0; /*