From: David Hankins Date: Fri, 19 Jun 2009 23:24:19 +0000 (+0000) Subject: ! A stack overflow vulnerability was fixed in dhclient that could allow X-Git-Tag: v4_2_0a1~65 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=8a4e543b51677c3033cb6a9fc0b77e772063dd6a;p=thirdparty%2Fdhcp.git ! A stack overflow vulnerability was fixed in dhclient that could allow remote attackers to execute arbitrary commands as root on the system, or simply terminate the client, by providing an over-long subnet-mask option. [ISC-Bugs #19839] --- diff --git a/RELNOTES b/RELNOTES index c9b6b6c6b..aa1fa1bf8 100644 --- a/RELNOTES +++ b/RELNOTES @@ -144,6 +144,11 @@ work on other platforms. Please report any problems and suggested fixes to - A bug was fixed that caused the 'conflict-done' state to fail to be parsed in failover state records. +! A stack overflow vulnerability was fixed in dhclient that could allow + remote attackers to execute arbitrary commands as root on the system, + or simply terminate the client, by providing an over-long subnet-mask + option. + Changes since 4.1.0b1 - A missing "else" in dhcrelay.c could have caused an interface not to diff --git a/client/dhclient.c b/client/dhclient.c index 580c71268..99f0ec1a9 100644 --- a/client/dhclient.c +++ b/client/dhclient.c @@ -3070,8 +3070,15 @@ void script_write_params (client, prefix, lease) if (data.len > 3) { struct iaddr netmask, subnet, broadcast; - memcpy (netmask.iabuf, data.data, data.len); - netmask.len = data.len; + /* + * No matter the length of the subnet-mask option, + * use only the first four octets. Note that + * subnet-mask options longer than 4 octets are not + * in conformance with RFC 2132, but servers with this + * flaw do exist. + */ + memcpy(netmask.iabuf, data.data, 4); + netmask.len = 4; data_string_forget (&data, MDL); subnet = subnet_number (lease -> address, netmask);