Skip site navigation (1)Skip section navigation (2) 
Date:      Tue, 21 May 2019 13:14:52 +0000
From:      bugzilla-noreply@freebsd.org
To:        bugs@FreeBSD.org
Subject:   [Bug 238022] buffer overrun in function make_request in sbin/dhclient/dhclient.c
Message-ID:  <bug-238022-227@https.bugs.freebsd.org/bugzilla/>
next in thread | raw e-mail | index | archive | help 
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D238022

            Bug ID: 238022
           Summary: buffer overrun in function make_request in
                    sbin/dhclient/dhclient.c
           Product: Base System
           Version: CURRENT
          Hardware: Any
                OS: Any
            Status: New
          Severity: Affects Many People
          Priority: ---
         Component: kern
          Assignee: bugs@FreeBSD.org
          Reporter: yangx92@hotmail.com

Created attachment 204510
  --> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=3D204510&action=
=3Dedit
Proposed patch

There is a buffer overrun vulnerability in function make_request of
sbin/dhclient/dhclient.c, which is similar to the vulnerability that was fi=
xed
in
https://github.com/freebsd/freebsd/commit/16b93d101357f716946014207ddfe9d84=
9f97fc9.

        /* set unique client identifier */
        char client_ident[sizeof(struct hardware)];
        if (!options[DHO_DHCP_CLIENT_IDENTIFIER]) {
                int hwlen =3D (ip->hw_address.hlen < sizeof(client_ident)-1=
) ?
                                ip->hw_address.hlen : sizeof(client_ident)-=
1;
                client_ident[0] =3D ip->hw_address.htype;
                memcpy(&client_ident[1], ip->hw_address.haddr, hwlen);
                options[DHO_DHCP_CLIENT_IDENTIFIER] =3D
&option_elements[DHO_DHCP_CLIENT_IDENTIFIER];
                options[DHO_DHCP_CLIENT_IDENTIFIER]->value =3D client_ident;
                options[DHO_DHCP_CLIENT_IDENTIFIER]->len =3D hwlen+1;
                options[DHO_DHCP_CLIENT_IDENTIFIER]->buf_size =3D hwlen+1;
                options[DHO_DHCP_CLIENT_IDENTIFIER]->timeout =3D 0xFFFFFFFF;
        }

A DHCP client identifier is simply the hardware type (one byte) concatenated
with the hardware address.
We should set the lengthe of clinet_ident to sizeof(ip->hw_address.haddr) +=
 1,
instead of sizeof(struct hardware).

The attachment is the proposed patch.

--=20
You are receiving this mail because:
You are the assignee for the bug.=

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-238022-227>