|
1 This patch was derived from ISC source differences between dhcp-4.1-ESV-R12 |
|
2 and dhcp-4.1-ESV-R12-P1. |
|
3 |
|
4 --- old/./RELNOTES Thu Jan 7 21:28:37 2016 |
|
5 +++ new/./RELNOTES Thu Jan 7 21:28:37 2016 |
|
6 @@ -1,6 +1,6 @@ |
|
7 Internet Systems Consortium DHCP Distribution |
|
8 - Version 4.1-ESV-R7 |
|
9 - 10 September 2012 |
|
10 + Version 4.1-ESV-R7-P1 |
|
11 + 01 January 2016 |
|
12 |
|
13 Release Notes |
|
14 |
|
15 @@ -52,6 +52,13 @@ |
|
16 work on other platforms. Please report any problems and suggested fixes to |
|
17 <[email protected]>. |
|
18 |
|
19 + Changes since 4.1-ESV-R7-P1 |
|
20 + |
|
21 +! Update the bounds checking when receiving a packet. |
|
22 + Thanks to Sebastian Poehn from Sophos for the bug report and a suggested |
|
23 + patch. |
|
24 + [ISC-Bugs #41267] |
|
25 + |
|
26 Changes since 4.1-ESV-R6 |
|
27 |
|
28 - Existing legacy unit-tests have been migrated to Automated Test |
|
29 --- old/common/packet.c Thu Jan 7 21:28:37 2016 |
|
30 +++ new/common/packet.c Thu Jan 7 21:28:37 2016 |
|
31 @@ -220,7 +220,28 @@ |
|
32 } |
|
33 } |
|
34 |
|
35 -/* UDP header and IP header decoded together for convenience. */ |
|
36 +/*! |
|
37 + * |
|
38 + * \brief UDP header and IP header decoded together for convenience. |
|
39 + * |
|
40 + * Attempt to decode the UDP and IP headers and, if necessary, checksum |
|
41 + * the packet. |
|
42 + * |
|
43 + * \param inteface - the interface on which the packet was recevied |
|
44 + * \param buf - a pointer to the buffer for the received packet |
|
45 + * \param bufix - where to start processing the buffer, previous |
|
46 + * routines may have processed parts of the buffer already |
|
47 + * \param from - space to return the address of the packet sender |
|
48 + * \param buflen - remaining length of the buffer, this will have been |
|
49 + * decremented by bufix by the caller |
|
50 + * \param rbuflen - space to return the length of the payload from the udp |
|
51 + * header |
|
52 + * \param csum_ready - indication if the checksum is valid for use |
|
53 + * non-zero indicates the checksum should be validated |
|
54 + * |
|
55 + * \return - the index to the first byte of the udp payload (that is the |
|
56 + * start of the DHCP packet |
|
57 + */ |
|
58 |
|
59 ssize_t |
|
60 decode_udp_ip_header(struct interface_info *interface, |
|
61 @@ -231,7 +252,7 @@ |
|
62 unsigned char *data; |
|
63 struct ip ip; |
|
64 struct udphdr udp; |
|
65 - unsigned char *upp, *endbuf; |
|
66 + unsigned char *upp; |
|
67 u_int32_t ip_len, ulen, pkt_len; |
|
68 u_int32_t sum, usum; |
|
69 static int ip_packets_seen; |
|
70 @@ -242,11 +263,8 @@ |
|
71 static int udp_packets_length_overflow; |
|
72 unsigned len; |
|
73 |
|
74 - /* Designate the end of the input buffer for bounds checks. */ |
|
75 - endbuf = buf + bufix + buflen; |
|
76 - |
|
77 /* Assure there is at least an IP header there. */ |
|
78 - if ((buf + bufix + sizeof(ip)) > endbuf) |
|
79 + if (sizeof(ip) > buflen) |
|
80 return -1; |
|
81 |
|
82 /* Copy the IP header into a stack aligned structure for inspection. |
|
83 @@ -258,13 +276,17 @@ |
|
84 ip_len = (*upp & 0x0f) << 2; |
|
85 upp += ip_len; |
|
86 |
|
87 - /* Check the IP packet length. */ |
|
88 + /* Check packet lengths are within the buffer: |
|
89 + * first the ip header (ip_len) |
|
90 + * then the packet length from the ip header (pkt_len) |
|
91 + * then the udp header (ip_len + sizeof(udp) |
|
92 + * We are liberal in what we accept, the udp payload should fit within |
|
93 + * pkt_len, but we only check against the full buffer size. |
|
94 + */ |
|
95 pkt_len = ntohs(ip.ip_len); |
|
96 - if (pkt_len > buflen) |
|
97 - return -1; |
|
98 - |
|
99 - /* Assure after ip_len bytes that there is enough room for a UDP header. */ |
|
100 - if ((upp + sizeof(udp)) > endbuf) |
|
101 + if ((ip_len > buflen) || |
|
102 + (pkt_len > buflen) || |
|
103 + ((ip_len + sizeof(udp)) > buflen)) |
|
104 return -1; |
|
105 |
|
106 /* Copy the UDP header into a stack aligned structure for inspection. */ |
|
107 @@ -285,7 +307,8 @@ |
|
108 return -1; |
|
109 |
|
110 udp_packets_length_checked++; |
|
111 - if ((upp + ulen) > endbuf) { |
|
112 + /* verify that the payload length from the udp packet fits in the buffer */ |
|
113 + if ((ip_len + ulen) > buflen) { |
|
114 udp_packets_length_overflow++; |
|
115 if ((udp_packets_length_checked > 4) && |
|
116 ((udp_packets_length_checked / |
|
117 --- old/./configure Thu Jan 7 21:28:37 2016 |
|
118 +++ new/./configure Thu Jan 7 21:28:37 2016 |
|
119 @@ -574,8 +574,8 @@ |
|
120 # Identity of this package. |
|
121 PACKAGE_NAME='DHCP' |
|
122 PACKAGE_TARNAME='dhcp' |
|
123 -PACKAGE_VERSION='4.1-ESV-R7' |
|
124 -PACKAGE_STRING='DHCP 4.1-ESV-R7' |
|
125 +PACKAGE_VERSION='4.1-ESV-R7-P1' |
|
126 +PACKAGE_STRING='DHCP 4.1-ESV-R7-P1' |
|
127 PACKAGE_BUGREPORT='[email protected]' |
|
128 |
|
129 # Factoring default headers for most tests. |
|
130 @@ -2125,7 +2125,7 @@ |
|
131 |
|
132 # Define the identity of the package. |
|
133 PACKAGE='dhcp' |
|
134 - VERSION='4.1-ESV-R7' |
|
135 + VERSION='4.1-ESV-R7-P1' |
|
136 |
|
137 |
|
138 cat >>confdefs.h <<_ACEOF |
|
139 --- old/./configure.ac Thu Jan 7 21:28:37 2016 |
|
140 +++ new/./configure.ac Thu Jan 7 21:28:37 2016 |
|
141 @@ -1,4 +1,4 @@ |
|
142 -AC_INIT([DHCP], [4.1-ESV-R7], [[email protected]]) |
|
143 +AC_INIT([DHCP], [4.1-ESV-R7-P1], [[email protected]]) |
|
144 |
|
145 # we specify "foreign" to avoid having to have the GNU mandated files, |
|
146 # like AUTHORS, COPYING, and such |