sd-dhcp-client: tentatively ignore FORCERENEW command

author Yu Watanabe <watanabe.yu+github@gmail.com>

Wed, 23 Jun 2021 16:22:07 +0000 (01:22 +0900)

committer Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl>

Tue, 20 Jul 2021 15:54:16 +0000 (17:54 +0200)
author Yu Watanabe <watanabe.yu+github@gmail.com>
Wed, 23 Jun 2021 16:22:07 +0000 (01:22 +0900)
committer Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl>
Tue, 20 Jul 2021 15:54:16 +0000 (17:54 +0200)
diff --git a/src/libsystemd-network/sd-dhcp-client.c b/src/libsystemd-network/sd-dhcp-client.c

index d472fcd9411d33831dcc2c937b092b3ea33bd43e..efdc7c55519a98ffab229d785fe3206ab7f03026 100644 (file)
--- a/src/libsystemd-network/sd-dhcp-client.c
+++ b/src/libsystemd-network/sd-dhcp-client.c
@@ -1536,9 +1536,17 @@ static int client_handle_forcerenew(sd_dhcp_client *client, DHCPMessage *force,
          if (r != DHCP_FORCERENEW)
                  return -ENOMSG;
  
+#if 0
          log_dhcp_client(client, "FORCERENEW");
  
          return 0;
+#else
+        /* FIXME: Ignore FORCERENEW requests until we implement RFC3118 (Authentication for DHCP
+         * Messages) and/or RFC6704 (Forcerenew Nonce Authentication), as unauthenticated FORCERENEW
+         * requests causes a security issue (TALOS-2020-1142, CVE-2020-13529). */
+        log_dhcp_client(client, "Received FORCERENEW, ignoring.");
+        return -ENOMSG;
+#endif
  }
  
  static bool lease_equal(const sd_dhcp_lease *a, const sd_dhcp_lease *b) {
author	Yu Watanabe <watanabe.yu+github@gmail.com>
	Wed, 23 Jun 2021 16:22:07 +0000 (01:22 +0900)
committer	Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl>
	Tue, 20 Jul 2021 15:54:16 +0000 (17:54 +0200)