Skip site navigation (1)Skip section navigation (2) 
Date:      Wed, 19 Dec 2018 18:21:07 +0000 (UTC)
From:      Ed Maste <emaste@FreeBSD.org>
To:        src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-releng@freebsd.org
Subject:   svn commit: r342230 - releng/12.0/libexec/bootpd
Message-ID:  <201812191821.wBJIL77v005583@repo.freebsd.org>
next in thread | raw e-mail | index | archive | help 
Author: emaste
Date: Wed Dec 19 18:21:07 2018
New Revision: 342230
URL: https://svnweb.freebsd.org/changeset/base/342230

Log:
  MFS12 r342228: bootpd: validate hardware type
  
  Due to insufficient validation of network-provided data it may have been
  possible for a malicious actor to craft a bootp packet which could cause
  a stack buffer overflow.
  
  admbugs:	850
  Reported by:	Reno Robert
  Reviewed by:	markj
  Approved by:	so
  Security:	FreeBSD-SA-18:15.bootpd
  Sponsored by:	The FreeBSD Foundation

Modified:
  releng/12.0/libexec/bootpd/bootpd.c
Directory Properties:
  releng/12.0/   (props changed)

Modified: releng/12.0/libexec/bootpd/bootpd.c
==============================================================================
--- releng/12.0/libexec/bootpd/bootpd.c	Wed Dec 19 18:19:15 2018	(r342229)
+++ releng/12.0/libexec/bootpd/bootpd.c	Wed Dec 19 18:21:07 2018	(r342230)
@@ -636,6 +636,10 @@ handle_request()
 	char *homedir, *bootfile;
 	int n;
 
+	if (bp->bp_htype >= hwinfocnt) {
+		report(LOG_NOTICE, "bad hw addr type %u", bp->bp_htype);
+		return;
+	}
 	bp->bp_file[sizeof(bp->bp_file)-1] = '\0';
 
 	/* XXX - SLIP init: Set bp_ciaddr = recv_addr here? */

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201812191821.wBJIL77v005583>