diff options
| author | Thomas Markwalder <tmark@isc.org> | 2019-06-20 10:43:10 -0400 |
|---|---|---|
| committer | Thomas Markwalder <tmark@isc.org> | 2019-06-20 10:43:10 -0400 |
| commit | 4584b794bed3b54df1b065db165e0f01696670d1 (patch) | |
| tree | a262702363271c6d39b58d9ca7da5570a8d48246 | |
| parent | bbb66aedc46b336e5c71f10eb747ead60729aa04 (diff) | |
| download | isc-dhcp-4584b794bed3b54df1b065db165e0f01696670d1.tar.gz | |
[v4_1_esv_r15_p1] Added fixes for CVE-2018-5733 and CVE-2018-5732
modified: RELNOTES
modified: common/options.c
| -rw-r--r-- | RELNOTES | 12 | ||||
| -rw-r--r-- | common/options.c | 18 |
2 files changed, 26 insertions, 4 deletions
@@ -117,6 +117,18 @@ dhcp-users@lists.isc.org. Thanks to Peter Lewis for requesting this change. [ISC-Bugs 47062] +! Option reference count was not correctly decremented in error path + when parsing buffer for options. Reported by Felix Wilhelm, Google + Security Team. + [ISC-Bugs #47140] + CVE: CVE-2018-5733 + +! Corrected an issue where large sized 'X/x' format options were causing + option handling logic to overwrite memory when expanding them to human + readable form. Reported by Felix Wilhelm, Google Security Team. + [ISC-Bugs #47139] + CVE: CVE-2018-5732 + Changes since 4.1-ESV-R15b1 - None diff --git a/common/options.c b/common/options.c index a136cd5c..5b4f17d9 100644 --- a/common/options.c +++ b/common/options.c @@ -3,7 +3,7 @@ DHCP options parsing and reassembly. */ /* - * Copyright (c) 2004-2017 by Internet Systems Consortium, Inc. ("ISC") + * Copyright (c) 2004-2018 by Internet Systems Consortium, Inc. ("ISC") * Copyright (c) 1995-2003 by Internet Software Consortium * * Permission to use, copy, modify, and distribute this software for any @@ -177,6 +177,8 @@ int parse_option_buffer (options, buffer, length, universe) /* If the length is outrageous, the options are bad. */ if (offset + len > length) { + /* Avoid reference count overflow */ + option_dereference(&option, MDL); reason = "option length exceeds option buffer length"; bogus: log_error("parse_option_buffer: malformed option " @@ -1751,7 +1753,8 @@ format_min_length(format, oc) /* Format the specified option so that a human can easily read it. */ - +/* Maximum pretty printed size */ +#define MAX_OUTPUT_SIZE 32*1024 const char *pretty_print_option (option, data, len, emit_commas, emit_quotes) struct option *option; const unsigned char *data; @@ -1759,8 +1762,9 @@ const char *pretty_print_option (option, data, len, emit_commas, emit_quotes) int emit_commas; int emit_quotes; { - static char optbuf [32768]; /* XXX */ - static char *endbuf = &optbuf[sizeof(optbuf)]; + /* We add 128 byte pad so we don't have to add checks everywhere. */ + static char optbuf [MAX_OUTPUT_SIZE + 128]; /* XXX */ + static char *endbuf = optbuf + MAX_OUTPUT_SIZE; int hunksize = 0; int opthunk = 0; int hunkinc = 0; @@ -2187,6 +2191,12 @@ const char *pretty_print_option (option, data, len, emit_commas, emit_quotes) fmtbuf [j]); } op += strlen (op); + if (op >= endbuf) { + log_error ("Option data exceeds" + " maximum size %d", MAX_OUTPUT_SIZE); + return ("<error>"); + } + if (dp == data + len) break; if (j + 1 < numelem && comma != ':') |