Mercurial Mercurial > upstream > oracle > userland-gate / diff
summary | shortlog | changelog | graph | tags | bookmarks | branches | files | changeset | file | latest | revisions | annotate | diff | comparison | raw | help
Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
components/isc-dhcp/patches/002-CVE-2015-8605.patch
branchs11u3-sru
changeset 5294 aab231e23f51 
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/components/isc-dhcp/patches/002-CVE-2015-8605.patch	Tue Jan 19 14:07:25 2016 -0800
@@ -0,0 +1,146 @@
+This patch was derived from ISC source differences between dhcp-4.1-ESV-R12
+and dhcp-4.1-ESV-R12-P1.
+
+--- old/./RELNOTES	Thu Jan  7 21:28:37 2016
++++ new/./RELNOTES	Thu Jan  7 21:28:37 2016
+@@ -1,6 +1,6 @@
+ 	      Internet Systems Consortium DHCP Distribution
+-			    Version 4.1-ESV-R7
+-			     10 September 2012
++			    Version 4.1-ESV-R7-P1
++                              01 January 2016
+ 
+ 			      Release Notes
+ 
+@@ -52,6 +52,13 @@
+ work on other platforms. Please report any problems and suggested fixes to
+ <[email protected]>.
+ 
++			Changes since 4.1-ESV-R7-P1
++
++! Update the bounds checking when receiving a packet.
++  Thanks to Sebastian Poehn from Sophos for the bug report and a suggested
++  patch.
++  [ISC-Bugs #41267]
++
+ 			Changes since 4.1-ESV-R6
+ 
+ - Existing legacy unit-tests have been migrated to Automated Test
+--- old/common/packet.c	Thu Jan  7 21:28:37 2016
++++ new/common/packet.c	Thu Jan  7 21:28:37 2016
+@@ -220,7 +220,28 @@
+ 	}
+ }
+ 
+-/* UDP header and IP header decoded together for convenience. */
++/*!
++ *
++ * \brief UDP header and IP header decoded together for convenience.
++ *
++ * Attempt to decode the UDP and IP headers and, if necessary, checksum
++ * the packet.
++ *
++ * \param inteface - the interface on which the packet was recevied
++ * \param buf - a pointer to the buffer for the received packet
++ * \param bufix - where to start processing the buffer, previous
++ *                routines may have processed parts of the buffer already
++ * \param from - space to return the address of the packet sender
++ * \param buflen - remaining length of the buffer, this will have been
++ *                 decremented by bufix by the caller
++ * \param rbuflen - space to return the length of the payload from the udp
++ *                  header
++ * \param csum_ready - indication if the checksum is valid for use
++ *                     non-zero indicates the checksum should be validated
++ *
++ * \return - the index to the first byte of the udp payload (that is the
++ *           start of the DHCP packet
++ */
+ 
+ ssize_t
+ decode_udp_ip_header(struct interface_info *interface,
+@@ -231,7 +252,7 @@
+   unsigned char *data;
+   struct ip ip;
+   struct udphdr udp;
+-  unsigned char *upp, *endbuf;
++  unsigned char *upp;
+   u_int32_t ip_len, ulen, pkt_len;
+   u_int32_t sum, usum;
+   static int ip_packets_seen;
+@@ -242,11 +263,8 @@
+   static int udp_packets_length_overflow;
+   unsigned len;
+ 
+-  /* Designate the end of the input buffer for bounds checks. */
+-  endbuf = buf + bufix + buflen;
+-
+   /* Assure there is at least an IP header there. */
+-  if ((buf + bufix + sizeof(ip)) > endbuf)
++  if (sizeof(ip) > buflen)
+ 	  return -1;
+ 
+   /* Copy the IP header into a stack aligned structure for inspection.
+@@ -258,13 +276,17 @@
+   ip_len = (*upp & 0x0f) << 2;
+   upp += ip_len;
+ 
+-  /* Check the IP packet length. */
++  /* Check packet lengths are within the buffer:
++   * first the ip header (ip_len)
++   * then the packet length from the ip header (pkt_len)
++   * then the udp header (ip_len + sizeof(udp)
++   * We are liberal in what we accept, the udp payload should fit within
++   * pkt_len, but we only check against the full buffer size.
++   */
+   pkt_len = ntohs(ip.ip_len);
+-  if (pkt_len > buflen)
+-	return -1;
+-
+-  /* Assure after ip_len bytes that there is enough room for a UDP header. */
+-  if ((upp + sizeof(udp)) > endbuf)
++  if ((ip_len > buflen) ||
++      (pkt_len > buflen) ||
++      ((ip_len + sizeof(udp)) > buflen))
+ 	  return -1;
+ 
+   /* Copy the UDP header into a stack aligned structure for inspection. */
+@@ -285,7 +307,8 @@
+ 	return -1;
+ 
+   udp_packets_length_checked++;
+-  if ((upp + ulen) > endbuf) {
++  /* verify that the payload length from the udp packet fits in the buffer */
++  if ((ip_len + ulen) > buflen) {
+ 	udp_packets_length_overflow++;
+ 	if ((udp_packets_length_checked > 4) &&
+ 	    ((udp_packets_length_checked /
+--- old/./configure	Thu Jan  7 21:28:37 2016
++++ new/./configure	Thu Jan  7 21:28:37 2016
+@@ -574,8 +574,8 @@
+ # Identity of this package.
+ PACKAGE_NAME='DHCP'
+ PACKAGE_TARNAME='dhcp'
+-PACKAGE_VERSION='4.1-ESV-R7'
+-PACKAGE_STRING='DHCP 4.1-ESV-R7'
++PACKAGE_VERSION='4.1-ESV-R7-P1'
++PACKAGE_STRING='DHCP 4.1-ESV-R7-P1'
+ PACKAGE_BUGREPORT='[email protected]'
+ 
+ # Factoring default headers for most tests.
+@@ -2125,7 +2125,7 @@
+ 
+ # Define the identity of the package.
+  PACKAGE='dhcp'
+- VERSION='4.1-ESV-R7'
++ VERSION='4.1-ESV-R7-P1'
+ 
+ 
+ cat >>confdefs.h <<_ACEOF
+--- old/./configure.ac	Thu Jan  7 21:28:37 2016
++++ new/./configure.ac	Thu Jan  7 21:28:37 2016
+@@ -1,4 +1,4 @@
+-AC_INIT([DHCP], [4.1-ESV-R7], [[email protected]])
++AC_INIT([DHCP], [4.1-ESV-R7-P1], [[email protected]])
+ 
+ # we specify "foreign" to avoid having to have the GNU mandated files,
+ # like AUTHORS, COPYING, and such
upstream/oracle/userland-gate