From 8d5a43f00b94ab84d3fe3673d2e81f101818348f Mon Sep 17 00:00:00 2001
From: Michael Tremer <michael.tremer@ipfire.org>
Date: Fri, 25 Aug 2023 17:25:23 +0000
Subject: [PATCH] dhcpcd: Fix buffer overflow at startup

Fixes: #13252 - dhcpcd fails in next
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
---
 lfs/dhcpcd                                    |  2 ++
 ....2-fix-off-by-one-overflow-when-read.patch | 26 +++++++++++++++++
 ...p-fix-strlcpy-overflow-in-psp-ifname.patch | 28 +++++++++++++++++++
 3 files changed, 56 insertions(+)
 create mode 100644 src/patches/dhcpcd-10.0.2-fix-off-by-one-overflow-when-read.patch
 create mode 100644 src/patches/dhcpcd-10.0.2-privsep-fix-strlcpy-overflow-in-psp-ifname.patch

diff --git a/lfs/dhcpcd b/lfs/dhcpcd
index 909de6e57a..2323b6104a 100644
--- a/lfs/dhcpcd
+++ b/lfs/dhcpcd
@@ -71,6 +71,8 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
 	@$(PREBUILD)
 	@rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar axf $(DIR_DL)/$(DL_FILE)
 	cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/dhcpcd-10.0.2-Allow-free-selection-of-MTU-by-the-user.patch
+	cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/dhcpcd-10.0.2-fix-off-by-one-overflow-when-read.patch
+	cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/dhcpcd-10.0.2-privsep-fix-strlcpy-overflow-in-psp-ifname.patch
 	cd $(DIR_APP) && ./configure \
 			--prefix="" \
 			--sysconfdir=/var/ipfire/dhcpc \
diff --git a/src/patches/dhcpcd-10.0.2-fix-off-by-one-overflow-when-read.patch b/src/patches/dhcpcd-10.0.2-fix-off-by-one-overflow-when-read.patch
new file mode 100644
index 0000000000..9e9cf3695e
--- /dev/null
+++ b/src/patches/dhcpcd-10.0.2-fix-off-by-one-overflow-when-read.patch
@@ -0,0 +1,26 @@
+From f798bf23af8e5a0eae38931912e2b67e1d45aca4 Mon Sep 17 00:00:00 2001
+From: Tobias Heider <tobhe@users.noreply.github.com>
+Date: Sat, 12 Aug 2023 21:59:21 +0200
+Subject: [PATCH] dhcpcd: Fix off-by-one overflow when read() writes full
+ BUFSIZ (#236)
+
+---
+ src/dhcpcd.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/dhcpcd.c b/src/dhcpcd.c
+index e06733d3..688a3a6d 100644
+--- a/src/dhcpcd.c
++++ b/src/dhcpcd.c
+@@ -1822,7 +1822,7 @@ dhcpcd_stderr_cb(void *arg, unsigned short events)
+ 	if (!(events & ELE_READ))
+ 		return;
+ 
+-	len = read(ctx->stderr_fd, log, sizeof(log));
++	len = read(ctx->stderr_fd, log, sizeof(log) - 1);
+ 	if (len == -1) {
+ 		if (errno != ECONNRESET)
+ 			logerr(__func__);
+-- 
+2.39.2
+
diff --git a/src/patches/dhcpcd-10.0.2-privsep-fix-strlcpy-overflow-in-psp-ifname.patch b/src/patches/dhcpcd-10.0.2-privsep-fix-strlcpy-overflow-in-psp-ifname.patch
new file mode 100644
index 0000000000..07c87017e2
--- /dev/null
+++ b/src/patches/dhcpcd-10.0.2-privsep-fix-strlcpy-overflow-in-psp-ifname.patch
@@ -0,0 +1,28 @@
+From 1bd8fc7d4b34f752a32709d277a897e5ad202d97 Mon Sep 17 00:00:00 2001
+From: Tobias Heider <tobhe@users.noreply.github.com>
+Date: Tue, 15 Aug 2023 18:06:48 +0200
+Subject: [PATCH] privsep: fix strlcpy overflow in psp_ifname (#239)
+
+When running our Ubuntu tests with libc6 and strlcpy overflow checks
+enabled we found that the wrong size is passed to strlcpy resulting
+in a crash because of an overflow.
+---
+ src/privsep.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/privsep.c b/src/privsep.c
+index b11c0351..cfe54742 100644
+--- a/src/privsep.c
++++ b/src/privsep.c
+@@ -1200,7 +1200,7 @@ ps_newprocess(struct dhcpcd_ctx *ctx, struct ps_id *psid)
+ #endif
+ 
+ 	if (!(ctx->options & DHCPCD_MANAGER))
+-		strlcpy(psp->psp_ifname, ctx->ifv[0], sizeof(psp->psp_name));
++		strlcpy(psp->psp_ifname, ctx->ifv[0], sizeof(psp->psp_ifname));
+ 	TAILQ_INSERT_TAIL(&ctx->ps_processes, psp, next);
+ 	return psp;
+ }
+-- 
+2.39.2
+
-- 
2.39.5