mir/isc-dhcp
2
0
Fork 0
mirror of https://gitlab.isc.org/isc-projects/dhcp synced 2025-08-22 18:07:25 +00:00
Code Issues Releases Wiki Activity
isc-dhcp/common/tests/option_unittest.c

227 lines
6.5 KiB
C
Raw Normal View History

[master] Corrected refcnt loss in option parsing Merges in 47140.
2018-02-09 14:46:08 -05:00
/*
[#231] 4.4.3 release changes
2022-03-08 09:37:01 +01:00
* Copyright (C) 2018-2022 Internet Systems Consortium, Inc. ("ISC")
[master] Corrected refcnt loss in option parsing Merges in 47140.
2018-02-09 14:46:08 -05:00
*
* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/.
*
* THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
* REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
* AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
* INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
* LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
* OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
* PERFORMANCE OF THIS SOFTWARE.
*/
#include <config.h>
#include <atf-c.h>
#include "dhcpd.h"
ATF_TC(option_refcnt);
ATF_TC_HEAD(option_refcnt, tc)
{
atf_tc_set_md_var(tc, "descr",
"Verify option reference count does not overflow.");
}
/* This test does a simple check to see if option reference count is
* decremented even an error path exiting parse_option_buffer()
*/
ATF_TC_BODY(option_refcnt, tc)
{
struct option_state *options;
struct option *option;
unsigned code;
int refcnt;
unsigned char buffer[3] = { 15, 255, 0 };
initialize_common_option_spaces();
options = NULL;
if (!option_state_allocate(&options, MDL)) {
atf_tc_fail("can't allocate option state");
}
[master] Correct buffer overrun in pretty_print_option Merges in rt47139.
2018-02-10 12:15:27 -05:00
[master] Corrected refcnt loss in option parsing Merges in 47140.
2018-02-09 14:46:08 -05:00
option = NULL;
code = 15; /* domain-name */
if (!option_code_hash_lookup(&option, dhcp_universe.code_hash,
&code, 0, MDL)) {
atf_tc_fail("can't find option 15");
}
if (option == NULL) {
atf_tc_fail("option is NULL");
}
refcnt = option->refcnt;
buffer[0] = 15;
buffer[1] = 255; /* invalid */
buffer[2] = 0;
if (parse_option_buffer(options, buffer, 3, &dhcp_universe)) {
atf_tc_fail("parse_option_buffer is expected to fail");
}
if (refcnt != option->refcnt) {
atf_tc_fail("refcnt changed from %d to %d", refcnt, option->refcnt);
}
}
[master] Correct buffer overrun in pretty_print_option Merges in rt47139.
2018-02-10 12:15:27 -05:00
ATF_TC(pretty_print_option);
ATF_TC_HEAD(pretty_print_option, tc)
{
atf_tc_set_md_var(tc, "descr",
"Verify pretty_print_option does not overrun its buffer.");
}
/*
* This test verifies that pretty_print_option() will not overrun its
* internal, static buffer when given large 'x/X' format options.
*
*/
ATF_TC_BODY(pretty_print_option, tc)
{
struct option *option;
unsigned code;
unsigned char bad_data[32*1024];
unsigned char good_data[] = { 1,2,3,4,5,6 };
int emit_commas = 1;
int emit_quotes = 1;
const char *output_buf;
/* Initialize whole thing to non-printable chars */
memset(bad_data, 0x1f, sizeof(bad_data));
initialize_common_option_spaces();
/* We'll use dhcp_client_identitifer because it happens to be format X */
code = 61;
option = NULL;
if (!option_code_hash_lookup(&option, dhcp_universe.code_hash,
&code, 0, MDL)) {
atf_tc_fail("can't find option %d", code);
}
if (option == NULL) {
atf_tc_fail("option is NULL");
}
/* First we will try a good value we know should fit. */
output_buf = pretty_print_option (option, good_data, sizeof(good_data),
emit_commas, emit_quotes);
/* Make sure we get what we expect */
if (!output_buf || strcmp(output_buf, "1:2:3:4:5:6")) {
atf_tc_fail("pretty_print_option did not return \"<error>\"");
}
/* Now we'll try a data value that's too large */
output_buf = pretty_print_option (option, bad_data, sizeof(bad_data),
emit_commas, emit_quotes);
/* Make sure we safely get an error */
if (!output_buf || strcmp(output_buf, "<error>")) {
atf_tc_fail("pretty_print_option did not return \"<error>\"");
}
}
[#182] Corrected CVE: CVE-2021-25217 Addressed buffer overwrite in parse_X() Added Release Note common/parse.c parse_X() - reworked to avoid buffer overwrite on over-sized hex literals common/tests/option_unittest.c ATF_TC_BODY(parse_X) - new test which verifies parse_X() logic.
2021-05-13 13:22:29 -04:00
ATF_TC(parse_X);
ATF_TC_HEAD(parse_X, tc)
{
atf_tc_set_md_var(tc, "descr",
[#231] typo fix
2022-03-08 10:24:40 +01:00
"Verify parse_X services option too big.");
[#182] Corrected CVE: CVE-2021-25217 Addressed buffer overwrite in parse_X() Added Release Note common/parse.c parse_X() - reworked to avoid buffer overwrite on over-sized hex literals common/tests/option_unittest.c ATF_TC_BODY(parse_X) - new test which verifies parse_X() logic.
2021-05-13 13:22:29 -04:00
}
/* Initializes a parse struct from an input buffer of data. */
static void init_parse(struct parse *cfile, char* name, char *input) {
memset(cfile, 0, sizeof(struct parse));
cfile->tlname = name;
cfile->lpos = cfile->line = 1;
cfile->cur_line = cfile->line1;
cfile->prev_line = cfile->line2;
cfile->token_line = cfile->cur_line;
cfile->cur_line[0] = cfile->prev_line[0] = 0;
cfile->file = -1;
cfile->eol_token = 0;
cfile->inbuf = input;
cfile->buflen = strlen(input);
cfile->bufsiz = 0;
}
/*
* This test verifies that parse_X does not overwrite the output
* buffer when given input data that exceeds the output buffer
* capacity.
*/
ATF_TC_BODY(parse_X, tc)
{
struct parse cfile;
u_int8_t output[10];
unsigned len;
/* Input hex literal */
char *input = "01:02:03:04:05:06:07:08";
unsigned expected_len = 8;
/* Normal output plus two filler bytes */
u_int8_t expected_plus_two[] = {
0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0xff, 0xff
};
/* Safe output when option is too long */
unsigned short_buf_len = 4;
u_int8_t expected_too_long[] = {
0x01, 0x02, 0x03, 0x04, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff
};
/* First we'll run one that works normally */
memset(output, 0xff, sizeof(output));
init_parse(&cfile, "hex_fits", input);
len = parse_X(&cfile, output, expected_len);
// Len should match the expected len.
if (len != expected_len) {
atf_tc_fail("parse_X failed, output len: %d", len);
}
// We should not have written anything past the end of the buffer.
if (memcmp(output, expected_plus_two, sizeof(output))) {
atf_tc_fail("parse_X failed, output does not match expected");
}
// Now we'll try it with a buffer that's too small.
init_parse(&cfile, "hex_too_long", input);
memset(output, 0xff, sizeof(output));
len = parse_X(&cfile, output, short_buf_len);
// On errors, len should be zero.
if (len != 0) {
atf_tc_fail("parse_X failed, we should have had an error");
}
// We should not have written anything past the end of the buffer.
if (memcmp(output, expected_too_long, sizeof(output))) {
atf_tc_fail("parse_X overwrote buffer!");
}
}
[master] Correct buffer overrun in pretty_print_option Merges in rt47139.
2018-02-10 12:15:27 -05:00
[master] Corrected refcnt loss in option parsing Merges in 47140.
2018-02-09 14:46:08 -05:00
/* This macro defines main() method that will call specified
test cases. tp and simple_test_case names can be whatever you want
as long as it is a valid variable identifier. */
ATF_TP_ADD_TCS(tp)
{
ATF_TP_ADD_TC(tp, option_refcnt);
[master] Correct buffer overrun in pretty_print_option Merges in rt47139.
2018-02-10 12:15:27 -05:00
ATF_TP_ADD_TC(tp, pretty_print_option);
[#182] Corrected CVE: CVE-2021-25217 Addressed buffer overwrite in parse_X() Added Release Note common/parse.c parse_X() - reworked to avoid buffer overwrite on over-sized hex literals common/tests/option_unittest.c ATF_TC_BODY(parse_X) - new test which verifies parse_X() logic.
2021-05-13 13:22:29 -04:00
ATF_TP_ADD_TC(tp, parse_X);
[master] Corrected refcnt loss in option parsing Merges in 47140.
2018-02-09 14:46:08 -05:00
return (atf_no_error());
}
Reference in New Issue Copy Permalink