busybox/patches/busybox-1.24.2-CVE-2016-2147.patch

From 3c4de6e36c4d387a648622e7b828a05f2b1b47e6 Mon Sep 17 00:00:00 2001
From: Denys Vlasenko <vda.linux@googlemail.com>
Date: Fri, 26 Feb 2016 15:54:56 +0100
Subject: [PATCH] udhcpc: fix OPTION_6RD parsing (could overflow its malloced
 buffer)

Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
(cherry picked from commit 352f79acbd759c14399e39baef21fc4ffe180ac2)
---
 networking/udhcp/common.c | 15 +++++++++++++--
 networking/udhcp/dhcpc.c  |  4 ++--
 2 files changed, 15 insertions(+), 4 deletions(-)

diff --git a/networking/udhcp/common.c b/networking/udhcp/common.c
index bc41c8d..680852c 100644
--- a/networking/udhcp/common.c
+++ b/networking/udhcp/common.c
@@ -142,7 +142,7 @@ const char dhcp_option_strings[] ALIGN1 =
  * udhcp_str2optset: to determine how many bytes to allocate.
  * xmalloc_optname_optval: to estimate string length
  * from binary option length: (option[LEN] / dhcp_option_lengths[opt_type])
- * is the number of elements, multiply in by one element's string width
+ * is the number of elements, multiply it by one element's string width
  * (len_of_option_as_string[opt_type]) and you know how wide string you need.
  */
 const uint8_t dhcp_option_lengths[] ALIGN1 = {
@@ -162,7 +162,18 @@ const uint8_t dhcp_option_lengths[] ALIGN1 = {
 	[OPTION_S32] =     4,
 	/* Just like OPTION_STRING, we use minimum length here */
 	[OPTION_STATIC_ROUTES] = 5,
-	[OPTION_6RD] =    22,  /* ignored by udhcp_str2optset */
+	[OPTION_6RD] =    12,  /* ignored by udhcp_str2optset */
+	/* The above value was chosen as follows:
+	 * len_of_option_as_string[] for this option is >60: it's a string of the form
+	 * "32 128 ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff 255.255.255.255 ".
+	 * Each additional ipv4 address takes 4 bytes in binary option and appends
+	 * another "255.255.255.255 " 16-byte string. We can set [OPTION_6RD] = 4
+	 * but this severely overestimates string length: instead of 16 bytes,
+	 * it adds >60 for every 4 bytes in binary option.
+	 * We cheat and declare here that option is in units of 12 bytes.
+	 * This adds more than 60 bytes for every three ipv4 addresses - more than enough.
+	 * (Even 16 instead of 12 should work, but let's be paranoid).
+	 */
 };
 
 
diff --git a/networking/udhcp/dhcpc.c b/networking/udhcp/dhcpc.c
index 915f659..2332b57 100644
--- a/networking/udhcp/dhcpc.c
+++ b/networking/udhcp/dhcpc.c
@@ -113,7 +113,7 @@ static const uint8_t len_of_option_as_string[] = {
 	[OPTION_IP              ] = sizeof("255.255.255.255 "),
 	[OPTION_IP_PAIR         ] = sizeof("255.255.255.255 ") * 2,
 	[OPTION_STATIC_ROUTES   ] = sizeof("255.255.255.255/32 255.255.255.255 "),
-	[OPTION_6RD             ] = sizeof("32 128 ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff 255.255.255.255 "),
+	[OPTION_6RD             ] = sizeof("132 128 ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff 255.255.255.255 "),
 	[OPTION_STRING          ] = 1,
 	[OPTION_STRING_HOST     ] = 1,
 #if ENABLE_FEATURE_UDHCP_RFC3397
@@ -220,7 +220,7 @@ static NOINLINE char *xmalloc_optname_optval(uint8_t *option, const struct dhcp_
 	type = optflag->flags & OPTION_TYPE_MASK;
 	optlen = dhcp_option_lengths[type];
 	upper_length = len_of_option_as_string[type]
-		* ((unsigned)(len + optlen - 1) / (unsigned)optlen);
+		* ((unsigned)(len + optlen) / (unsigned)optlen);
 
 	dest = ret = xmalloc(upper_length + strlen(opt_name) + 2);
 	dest += sprintf(ret, "%s=", opt_name);
-- 
2.7.4

1	niro	2779	From 3c4de6e36c4d387a648622e7b828a05f2b1b47e6 Mon Sep 17 00:00:00 2001
2			From: Denys Vlasenko <vda.linux@googlemail.com>
3			Date: Fri, 26 Feb 2016 15:54:56 +0100
4			Subject: [PATCH] udhcpc: fix OPTION_6RD parsing (could overflow its malloced
5			buffer)
6
7			Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
8			Signed-off-by: Mike Frysinger <vapier@gentoo.org>
9			(cherry picked from commit 352f79acbd759c14399e39baef21fc4ffe180ac2)
10			---
11			networking/udhcp/common.c \| 15 +++++++++++++--
12			networking/udhcp/dhcpc.c \| 4 ++--
13			2 files changed, 15 insertions(+), 4 deletions(-)
14
15			diff --git a/networking/udhcp/common.c b/networking/udhcp/common.c
16			index bc41c8d..680852c 100644
17			--- a/networking/udhcp/common.c
18			+++ b/networking/udhcp/common.c
19			@@ -142,7 +142,7 @@ const char dhcp_option_strings[] ALIGN1 =
20			* udhcp_str2optset: to determine how many bytes to allocate.
21			* xmalloc_optname_optval: to estimate string length
22			* from binary option length: (option[LEN] / dhcp_option_lengths[opt_type])
23			- * is the number of elements, multiply in by one element's string width
24			+ * is the number of elements, multiply it by one element's string width
25			* (len_of_option_as_string[opt_type]) and you know how wide string you need.
26			*/
27			const uint8_t dhcp_option_lengths[] ALIGN1 = {
28			@@ -162,7 +162,18 @@ const uint8_t dhcp_option_lengths[] ALIGN1 = {
29			[OPTION_S32] = 4,
30			/* Just like OPTION_STRING, we use minimum length here */
31			[OPTION_STATIC_ROUTES] = 5,
32			- [OPTION_6RD] = 22, /* ignored by udhcp_str2optset */
33			+ [OPTION_6RD] = 12, /* ignored by udhcp_str2optset */
34			+ /* The above value was chosen as follows:
35			+ * len_of_option_as_string[] for this option is >60: it's a string of the form
36			+ * "32 128 ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff 255.255.255.255 ".
37			+ * Each additional ipv4 address takes 4 bytes in binary option and appends
38			+ * another "255.255.255.255 " 16-byte string. We can set [OPTION_6RD] = 4
39			+ * but this severely overestimates string length: instead of 16 bytes,
40			+ * it adds >60 for every 4 bytes in binary option.
41			+ * We cheat and declare here that option is in units of 12 bytes.
42			+ * This adds more than 60 bytes for every three ipv4 addresses - more than enough.
43			+ * (Even 16 instead of 12 should work, but let's be paranoid).
44			+ */
45			};
46
47
48			diff --git a/networking/udhcp/dhcpc.c b/networking/udhcp/dhcpc.c
49			index 915f659..2332b57 100644
50			--- a/networking/udhcp/dhcpc.c
51			+++ b/networking/udhcp/dhcpc.c
52			@@ -113,7 +113,7 @@ static const uint8_t len_of_option_as_string[] = {
53			[OPTION_IP ] = sizeof("255.255.255.255 "),
54			[OPTION_IP_PAIR ] = sizeof("255.255.255.255 ") * 2,
55			[OPTION_STATIC_ROUTES ] = sizeof("255.255.255.255/32 255.255.255.255 "),
56			- [OPTION_6RD ] = sizeof("32 128 ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff 255.255.255.255 "),
57			+ [OPTION_6RD ] = sizeof("132 128 ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff 255.255.255.255 "),
58			[OPTION_STRING ] = 1,
59			[OPTION_STRING_HOST ] = 1,
60			#if ENABLE_FEATURE_UDHCP_RFC3397
61			@@ -220,7 +220,7 @@ static NOINLINE char xmalloc_optname_optval(uint8_t option, const struct dhcp_
62			type = optflag->flags & OPTION_TYPE_MASK;
63			optlen = dhcp_option_lengths[type];
64			upper_length = len_of_option_as_string[type]
65			- * ((unsigned)(len + optlen - 1) / (unsigned)optlen);
66			+ * ((unsigned)(len + optlen) / (unsigned)optlen);
67
68			dest = ret = xmalloc(upper_length + strlen(opt_name) + 2);
69			dest += sprintf(ret, "%s=", opt_name);
70			--
71			2.7.4
72