Date: Tue, 21 May 2019 13:14:52 +0000 From: bugzilla-noreply@freebsd.org To: bugs@FreeBSD.org Subject: [Bug 238022] buffer overrun in function make_request in sbin/dhclient/dhclient.c Message-ID: <bug-238022-227@https.bugs.freebsd.org/bugzilla/>
next in thread | raw e-mail | index | archive | help
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D238022 Bug ID: 238022 Summary: buffer overrun in function make_request in sbin/dhclient/dhclient.c Product: Base System Version: CURRENT Hardware: Any OS: Any Status: New Severity: Affects Many People Priority: --- Component: kern Assignee: bugs@FreeBSD.org Reporter: yangx92@hotmail.com Created attachment 204510 --> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=3D204510&action= =3Dedit Proposed patch There is a buffer overrun vulnerability in function make_request of sbin/dhclient/dhclient.c, which is similar to the vulnerability that was fi= xed in https://github.com/freebsd/freebsd/commit/16b93d101357f716946014207ddfe9d84= 9f97fc9. /* set unique client identifier */ char client_ident[sizeof(struct hardware)]; if (!options[DHO_DHCP_CLIENT_IDENTIFIER]) { int hwlen =3D (ip->hw_address.hlen < sizeof(client_ident)-1= ) ? ip->hw_address.hlen : sizeof(client_ident)-= 1; client_ident[0] =3D ip->hw_address.htype; memcpy(&client_ident[1], ip->hw_address.haddr, hwlen); options[DHO_DHCP_CLIENT_IDENTIFIER] =3D &option_elements[DHO_DHCP_CLIENT_IDENTIFIER]; options[DHO_DHCP_CLIENT_IDENTIFIER]->value =3D client_ident; options[DHO_DHCP_CLIENT_IDENTIFIER]->len =3D hwlen+1; options[DHO_DHCP_CLIENT_IDENTIFIER]->buf_size =3D hwlen+1; options[DHO_DHCP_CLIENT_IDENTIFIER]->timeout =3D 0xFFFFFFFF; } A DHCP client identifier is simply the hardware type (one byte) concatenated with the hardware address. We should set the lengthe of clinet_ident to sizeof(ip->hw_address.haddr) += 1, instead of sizeof(struct hardware). The attachment is the proposed patch. --=20 You are receiving this mail because: You are the assignee for the bug.=
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-238022-227>