[Bug 238022] buffer overrun in function make_request in sbin/dhclient/dhclient.c
bugzilla-noreply at freebsd.org
bugzilla-noreply at freebsd.org
Tue May 21 13:14:55 UTC 2019
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=238022
Bug ID: 238022
Summary: buffer overrun in function make_request in
sbin/dhclient/dhclient.c
Product: Base System
Version: CURRENT
Hardware: Any
OS: Any
Status: New
Severity: Affects Many People
Priority: ---
Component: kern
Assignee: bugs at FreeBSD.org
Reporter: yangx92 at hotmail.com
Created attachment 204510
--> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=204510&action=edit
Proposed patch
There is a buffer overrun vulnerability in function make_request of
sbin/dhclient/dhclient.c, which is similar to the vulnerability that was fixed
in
https://github.com/freebsd/freebsd/commit/16b93d101357f716946014207ddfe9d849f97fc9.
/* set unique client identifier */
char client_ident[sizeof(struct hardware)];
if (!options[DHO_DHCP_CLIENT_IDENTIFIER]) {
int hwlen = (ip->hw_address.hlen < sizeof(client_ident)-1) ?
ip->hw_address.hlen : sizeof(client_ident)-1;
client_ident[0] = ip->hw_address.htype;
memcpy(&client_ident[1], ip->hw_address.haddr, hwlen);
options[DHO_DHCP_CLIENT_IDENTIFIER] =
&option_elements[DHO_DHCP_CLIENT_IDENTIFIER];
options[DHO_DHCP_CLIENT_IDENTIFIER]->value = client_ident;
options[DHO_DHCP_CLIENT_IDENTIFIER]->len = hwlen+1;
options[DHO_DHCP_CLIENT_IDENTIFIER]->buf_size = hwlen+1;
options[DHO_DHCP_CLIENT_IDENTIFIER]->timeout = 0xFFFFFFFF;
}
A DHCP client identifier is simply the hardware type (one byte) concatenated
with the hardware address.
We should set the lengthe of clinet_ident to sizeof(ip->hw_address.haddr) + 1,
instead of sizeof(struct hardware).
The attachment is the proposed patch.
--
You are receiving this mail because:
You are the assignee for the bug.
More information about the freebsd-bugs
mailing list