[Bug 238022] buffer overrun in function make_request in sbin/dhclient/dhclient.c

bugzilla-noreply at freebsd.org bugzilla-noreply at freebsd.org
Tue May 21 13:14:55 UTC 2019


            Bug ID: 238022
           Summary: buffer overrun in function make_request in
           Product: Base System
           Version: CURRENT
          Hardware: Any
                OS: Any
            Status: New
          Severity: Affects Many People
          Priority: ---
         Component: kern
          Assignee: bugs at FreeBSD.org
          Reporter: yangx92 at hotmail.com

Created attachment 204510
  --> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=204510&action=edit
Proposed patch

There is a buffer overrun vulnerability in function make_request of
sbin/dhclient/dhclient.c, which is similar to the vulnerability that was fixed

        /* set unique client identifier */
        char client_ident[sizeof(struct hardware)];
        if (!options[DHO_DHCP_CLIENT_IDENTIFIER]) {
                int hwlen = (ip->hw_address.hlen < sizeof(client_ident)-1) ?
                                ip->hw_address.hlen : sizeof(client_ident)-1;
                client_ident[0] = ip->hw_address.htype;
                memcpy(&client_ident[1], ip->hw_address.haddr, hwlen);
                options[DHO_DHCP_CLIENT_IDENTIFIER] =
                options[DHO_DHCP_CLIENT_IDENTIFIER]->value = client_ident;
                options[DHO_DHCP_CLIENT_IDENTIFIER]->len = hwlen+1;
                options[DHO_DHCP_CLIENT_IDENTIFIER]->buf_size = hwlen+1;
                options[DHO_DHCP_CLIENT_IDENTIFIER]->timeout = 0xFFFFFFFF;

A DHCP client identifier is simply the hardware type (one byte) concatenated
with the hardware address.
We should set the lengthe of clinet_ident to sizeof(ip->hw_address.haddr) + 1,
instead of sizeof(struct hardware).

The attachment is the proposed patch.

You are receiving this mail because:
You are the assignee for the bug.

More information about the freebsd-bugs mailing list