Contents of /trunk/busybox/patches/busybox-1.24.2-CVE-2016-2147.patch
Parent Directory | Revision Log
Revision 2779 -
(show annotations)
(download)
Fri Apr 8 07:24:48 2016 UTC (8 years, 5 months ago) by niro
File size: 3453 byte(s)
Fri Apr 8 07:24:48 2016 UTC (8 years, 5 months ago) by niro
File size: 3453 byte(s)
-added 1.24.2 official patches
1 | From 3c4de6e36c4d387a648622e7b828a05f2b1b47e6 Mon Sep 17 00:00:00 2001 |
2 | From: Denys Vlasenko <vda.linux@googlemail.com> |
3 | Date: Fri, 26 Feb 2016 15:54:56 +0100 |
4 | Subject: [PATCH] udhcpc: fix OPTION_6RD parsing (could overflow its malloced |
5 | buffer) |
6 | |
7 | Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com> |
8 | Signed-off-by: Mike Frysinger <vapier@gentoo.org> |
9 | (cherry picked from commit 352f79acbd759c14399e39baef21fc4ffe180ac2) |
10 | --- |
11 | networking/udhcp/common.c | 15 +++++++++++++-- |
12 | networking/udhcp/dhcpc.c | 4 ++-- |
13 | 2 files changed, 15 insertions(+), 4 deletions(-) |
14 | |
15 | diff --git a/networking/udhcp/common.c b/networking/udhcp/common.c |
16 | index bc41c8d..680852c 100644 |
17 | --- a/networking/udhcp/common.c |
18 | +++ b/networking/udhcp/common.c |
19 | @@ -142,7 +142,7 @@ const char dhcp_option_strings[] ALIGN1 = |
20 | * udhcp_str2optset: to determine how many bytes to allocate. |
21 | * xmalloc_optname_optval: to estimate string length |
22 | * from binary option length: (option[LEN] / dhcp_option_lengths[opt_type]) |
23 | - * is the number of elements, multiply in by one element's string width |
24 | + * is the number of elements, multiply it by one element's string width |
25 | * (len_of_option_as_string[opt_type]) and you know how wide string you need. |
26 | */ |
27 | const uint8_t dhcp_option_lengths[] ALIGN1 = { |
28 | @@ -162,7 +162,18 @@ const uint8_t dhcp_option_lengths[] ALIGN1 = { |
29 | [OPTION_S32] = 4, |
30 | /* Just like OPTION_STRING, we use minimum length here */ |
31 | [OPTION_STATIC_ROUTES] = 5, |
32 | - [OPTION_6RD] = 22, /* ignored by udhcp_str2optset */ |
33 | + [OPTION_6RD] = 12, /* ignored by udhcp_str2optset */ |
34 | + /* The above value was chosen as follows: |
35 | + * len_of_option_as_string[] for this option is >60: it's a string of the form |
36 | + * "32 128 ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff 255.255.255.255 ". |
37 | + * Each additional ipv4 address takes 4 bytes in binary option and appends |
38 | + * another "255.255.255.255 " 16-byte string. We can set [OPTION_6RD] = 4 |
39 | + * but this severely overestimates string length: instead of 16 bytes, |
40 | + * it adds >60 for every 4 bytes in binary option. |
41 | + * We cheat and declare here that option is in units of 12 bytes. |
42 | + * This adds more than 60 bytes for every three ipv4 addresses - more than enough. |
43 | + * (Even 16 instead of 12 should work, but let's be paranoid). |
44 | + */ |
45 | }; |
46 | |
47 | |
48 | diff --git a/networking/udhcp/dhcpc.c b/networking/udhcp/dhcpc.c |
49 | index 915f659..2332b57 100644 |
50 | --- a/networking/udhcp/dhcpc.c |
51 | +++ b/networking/udhcp/dhcpc.c |
52 | @@ -113,7 +113,7 @@ static const uint8_t len_of_option_as_string[] = { |
53 | [OPTION_IP ] = sizeof("255.255.255.255 "), |
54 | [OPTION_IP_PAIR ] = sizeof("255.255.255.255 ") * 2, |
55 | [OPTION_STATIC_ROUTES ] = sizeof("255.255.255.255/32 255.255.255.255 "), |
56 | - [OPTION_6RD ] = sizeof("32 128 ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff 255.255.255.255 "), |
57 | + [OPTION_6RD ] = sizeof("132 128 ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff 255.255.255.255 "), |
58 | [OPTION_STRING ] = 1, |
59 | [OPTION_STRING_HOST ] = 1, |
60 | #if ENABLE_FEATURE_UDHCP_RFC3397 |
61 | @@ -220,7 +220,7 @@ static NOINLINE char *xmalloc_optname_optval(uint8_t *option, const struct dhcp_ |
62 | type = optflag->flags & OPTION_TYPE_MASK; |
63 | optlen = dhcp_option_lengths[type]; |
64 | upper_length = len_of_option_as_string[type] |
65 | - * ((unsigned)(len + optlen - 1) / (unsigned)optlen); |
66 | + * ((unsigned)(len + optlen) / (unsigned)optlen); |
67 | |
68 | dest = ret = xmalloc(upper_length + strlen(opt_name) + 2); |
69 | dest += sprintf(ret, "%s=", opt_name); |
70 | -- |
71 | 2.7.4 |
72 |