[#182] Corrected CVE: CVE-2021-25217

Addressed buffer overwrite in parse_X()

Added Release Note

common/parse.c
    parse_X() - reworked to avoid buffer overwrite on
    over-sized hex literals

common/tests/option_unittest.c
    ATF_TC_BODY(parse_X) - new test which verifies
    parse_X() logic.

3 files changed, 97 insertions, 5 deletions

diff --git a/RELNOTES b/RELNOTES
index 42a90fb4..d5388494 100644
--- a/RELNOTES
+++ b/RELNOTES
@@ -1,13 +1,13 @@
               Internet Systems Consortium DHCP Distribution
 
-                           Version 4.1-ESV-R16
-                             01 January 2020
+                           Version 4.1-ESV-R16-P1
+                               26 May 2021
 
                               Release Notes
 
                                NEW FEATURES
 
-Version 4.1-ESV-R16 is a maintenance release of an extended support version
+Version 4.1-ESV-R16-P1 is a security release of an extended support version
 (ESV) release.  ESVs are intended for users who have longer upgrade
 constraints.  Please see our web page:
 
@@ -74,6 +74,13 @@ We welcome comments from DHCP users, about this or anything else we do.
 Email Vicky Risk, Product Manager at vicky@isc.org or discuss on
 dhcp-users@lists.isc.org.
 
+			Changes since 4.1-ESV-R16
+
+- Corrected a buffer overwrite possible when parsing hexadecimal
+  literals with more than 1024 octets.
+  [Gitlab #182]
+  CVE: CVE-2021-25217
+
 			Changes since 4.1-ESV-R16b1
 
 - Corrected buffer pointer logic in dhcrelay functions that manipulate
diff --git a/common/parse.c b/common/parse.c
index e78223c2..57ae1793 100644
--- a/common/parse.c
+++ b/common/parse.c
@@ -5790,13 +5790,14 @@ int parse_X (cfile, buf, max)
 				skip_to_semi (cfile);
 				return 0;
 			}
-			convert_num (cfile, &buf [len], val, 16, 8);
-			if (len++ > max) {
+			if (len >= max) {
 				parse_warn (cfile,
 					    "hexadecimal constant too long.");
 				skip_to_semi (cfile);
 				return 0;
 			}
+			convert_num (cfile, &buf [len], val, 16, 8);
+			len++;
 			token = peek_token (&val, (unsigned *)0, cfile);
 			if (token == COLON)
 				token = next_token (&val,
diff --git a/common/tests/option_unittest.c b/common/tests/option_unittest.c
index cd52cfb4..bea60837 100644
--- a/common/tests/option_unittest.c
+++ b/common/tests/option_unittest.c
@@ -129,6 +129,89 @@ ATF_TC_BODY(pretty_print_option, tc)
     }
 }
 
+ATF_TC(parse_X);
+
+ATF_TC_HEAD(parse_X, tc)
+{
+    atf_tc_set_md_var(tc, "descr",
+		      "Verify parse_X survices option too big.");
+}
+
+/* Initializes a parse struct from an input buffer of data. */
+static void init_parse(struct parse *cfile, char* name, char *input) {
+    memset(cfile, 0, sizeof(struct parse));
+    cfile->tlname = name;
+    cfile->lpos = cfile->line = 1;
+    cfile->cur_line = cfile->line1;
+    cfile->prev_line = cfile->line2;
+    cfile->token_line = cfile->cur_line;
+    cfile->cur_line[0] = cfile->prev_line[0] = 0;
+    cfile->file = -1;
+    cfile->eol_token = 0;
+
+    cfile->inbuf = input;
+    cfile->buflen = strlen(input);
+    cfile->bufsiz = 0;
+}
+
+/*
+ * This test verifies that parse_X does not overwrite the output
+ * buffer when given input data that exceeds the output buffer
+ * capacity.
+*/
+ATF_TC_BODY(parse_X, tc)
+{
+    struct parse cfile;
+    u_int8_t output[10];
+    unsigned len;
+
+    /* Input hex literal */
+    char *input = "01:02:03:04:05:06:07:08";
+    unsigned expected_len = 8;
+
+    /* Normal output plus two filler bytes */
+    u_int8_t expected_plus_two[] = {
+        0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0xff, 0xff
+    };
+
+    /* Safe output when option is too long */
+    unsigned short_buf_len = 4;
+    u_int8_t expected_too_long[] = {
+        0x01, 0x02, 0x03, 0x04, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff
+    };
+
+    /* First we'll run one that works normally */
+    memset(output, 0xff, sizeof(output));
+    init_parse(&cfile, "hex_fits", input);
+
+    len = parse_X(&cfile, output, expected_len);
+
+    // Len should match the expected len.
+    if (len != expected_len) {
+	    atf_tc_fail("parse_X failed, output len: %d", len);
+    }
+
+    // We should not have written anything past the end of the buffer.
+    if (memcmp(output, expected_plus_two, sizeof(output))) {
+	    atf_tc_fail("parse_X failed, output does not match expected");
+    }
+
+    // Now we'll try it with a buffer that's too small.
+    init_parse(&cfile, "hex_too_long", input);
+    memset(output, 0xff, sizeof(output));
+
+    len = parse_X(&cfile, output, short_buf_len);
+
+    // On errors, len should be zero.
+    if (len != 0) {
+	    atf_tc_fail("parse_X failed, we should have had an error");
+    }
+
+    // We should not have written anything past the end of the buffer.
+    if (memcmp(output, expected_too_long, sizeof(output))) {
+        atf_tc_fail("parse_X overwrote buffer!");
+    }
+}
 
 /* This macro defines main() method that will call specified
    test cases. tp and simple_test_case names can be whatever you want
@@ -137,6 +220,7 @@ ATF_TP_ADD_TCS(tp)
 {
     ATF_TP_ADD_TC(tp, option_refcnt);
     ATF_TP_ADD_TC(tp, pretty_print_option);
+    ATF_TP_ADD_TC(tp, parse_X);
 
     return (atf_no_error());
 }