1 This patch was derived from ISC source differences between dhcp-4.1-ESV-R12

     2 and dhcp-4.1-ESV-R12-P1.

     3 

     4 --- old/./RELNOTES	Thu Jan  7 21:28:37 2016

     5 +++ new/./RELNOTES	Thu Jan  7 21:28:37 2016

     6 @@ -1,6 +1,6 @@

     7  	      Internet Systems Consortium DHCP Distribution

     8 -			    Version 4.1-ESV-R7

     9 -			     10 September 2012

    10 +			    Version 4.1-ESV-R7-P1

    11 +                              01 January 2016

    12  

    13  			      Release Notes

    14  

    15 @@ -52,6 +52,13 @@

    16  work on other platforms. Please report any problems and suggested fixes to

    17  <[email protected]>.

    18  

    19 +			Changes since 4.1-ESV-R7-P1

    20 +

    21 +! Update the bounds checking when receiving a packet.

    22 +  Thanks to Sebastian Poehn from Sophos for the bug report and a suggested

    23 +  patch.

    24 +  [ISC-Bugs #41267]

    25 +

    26  			Changes since 4.1-ESV-R6

    27  

    28  - Existing legacy unit-tests have been migrated to Automated Test

    29 --- old/common/packet.c	Thu Jan  7 21:28:37 2016

    30 +++ new/common/packet.c	Thu Jan  7 21:28:37 2016

    31 @@ -220,7 +220,28 @@

    32  	}

    33  }

    34  

    35 -/* UDP header and IP header decoded together for convenience. */

    36 +/*!

    37 + *

    38 + * \brief UDP header and IP header decoded together for convenience.

    39 + *

    40 + * Attempt to decode the UDP and IP headers and, if necessary, checksum

    41 + * the packet.

    42 + *

    43 + * \param inteface - the interface on which the packet was recevied

    44 + * \param buf - a pointer to the buffer for the received packet

    45 + * \param bufix - where to start processing the buffer, previous

    46 + *                routines may have processed parts of the buffer already

    47 + * \param from - space to return the address of the packet sender

    48 + * \param buflen - remaining length of the buffer, this will have been

    49 + *                 decremented by bufix by the caller

    50 + * \param rbuflen - space to return the length of the payload from the udp

    51 + *                  header

    52 + * \param csum_ready - indication if the checksum is valid for use

    53 + *                     non-zero indicates the checksum should be validated

    54 + *

    55 + * \return - the index to the first byte of the udp payload (that is the

    56 + *           start of the DHCP packet

    57 + */

    58  

    59  ssize_t

    60  decode_udp_ip_header(struct interface_info *interface,

    61 @@ -231,7 +252,7 @@

    62    unsigned char *data;

    63    struct ip ip;

    64    struct udphdr udp;

    65 -  unsigned char *upp, *endbuf;

    66 +  unsigned char *upp;

    67    u_int32_t ip_len, ulen, pkt_len;

    68    u_int32_t sum, usum;

    69    static int ip_packets_seen;

    70 @@ -242,11 +263,8 @@

    71    static int udp_packets_length_overflow;

    72    unsigned len;

    73  

    74 -  /* Designate the end of the input buffer for bounds checks. */

    75 -  endbuf = buf + bufix + buflen;

    76 -

    77    /* Assure there is at least an IP header there. */

    78 -  if ((buf + bufix + sizeof(ip)) > endbuf)

    79 +  if (sizeof(ip) > buflen)

    80  	  return -1;

    81  

    82    /* Copy the IP header into a stack aligned structure for inspection.

    83 @@ -258,13 +276,17 @@

    84    ip_len = (*upp & 0x0f) << 2;

    85    upp += ip_len;

    86  

    87 -  /* Check the IP packet length. */

    88 +  /* Check packet lengths are within the buffer:

    89 +   * first the ip header (ip_len)

    90 +   * then the packet length from the ip header (pkt_len)

    91 +   * then the udp header (ip_len + sizeof(udp)

    92 +   * We are liberal in what we accept, the udp payload should fit within

    93 +   * pkt_len, but we only check against the full buffer size.

    94 +   */

    95    pkt_len = ntohs(ip.ip_len);

    96 -  if (pkt_len > buflen)

    97 -	return -1;

    98 -

    99 -  /* Assure after ip_len bytes that there is enough room for a UDP header. */

   100 -  if ((upp + sizeof(udp)) > endbuf)

   101 +  if ((ip_len > buflen) ||

   102 +      (pkt_len > buflen) ||

   103 +      ((ip_len + sizeof(udp)) > buflen))

   104  	  return -1;

   105  

   106    /* Copy the UDP header into a stack aligned structure for inspection. */

   107 @@ -285,7 +307,8 @@

   108  	return -1;

   109  

   110    udp_packets_length_checked++;

   111 -  if ((upp + ulen) > endbuf) {

   112 +  /* verify that the payload length from the udp packet fits in the buffer */

   113 +  if ((ip_len + ulen) > buflen) {

   114  	udp_packets_length_overflow++;

   115  	if ((udp_packets_length_checked > 4) &&

   116  	    ((udp_packets_length_checked /

   117 --- old/./configure	Thu Jan  7 21:28:37 2016

   118 +++ new/./configure	Thu Jan  7 21:28:37 2016

   119 @@ -574,8 +574,8 @@

   120  # Identity of this package.

   121  PACKAGE_NAME='DHCP'

   122  PACKAGE_TARNAME='dhcp'

   123 -PACKAGE_VERSION='4.1-ESV-R7'

   124 -PACKAGE_STRING='DHCP 4.1-ESV-R7'

   125 +PACKAGE_VERSION='4.1-ESV-R7-P1'

   126 +PACKAGE_STRING='DHCP 4.1-ESV-R7-P1'

   127  PACKAGE_BUGREPORT='[email protected]'

   128  

   129  # Factoring default headers for most tests.

   130 @@ -2125,7 +2125,7 @@

   131  

   132  # Define the identity of the package.

   133   PACKAGE='dhcp'

   134 - VERSION='4.1-ESV-R7'

   135 + VERSION='4.1-ESV-R7-P1'

   136  

   137  

   138  cat >>confdefs.h <<_ACEOF

   139 --- old/./configure.ac	Thu Jan  7 21:28:37 2016

   140 +++ new/./configure.ac	Thu Jan  7 21:28:37 2016

   141 @@ -1,4 +1,4 @@

   142 -AC_INIT([DHCP], [4.1-ESV-R7], [[email protected]])

   143 +AC_INIT([DHCP], [4.1-ESV-R7-P1], [[email protected]])

   144  

   145  # we specify "foreign" to avoid having to have the GNU mandated files,

   146  # like AUTHORS, COPYING, and such