mir/isc-dhcp
2
0
Fork 0
mirror of https://gitlab.isc.org/isc-projects/dhcp synced 2025-08-22 09:57:20 +00:00
Code Issues Releases Wiki Activity

[#182] Corrected CVE: CVE-2021-25217

Browse Source 
Addressed buffer overwrite in parse_X()

Added Release Note

common/parse.c
    parse_X() - reworked to avoid buffer overwrite on
    over-sized hex literals

common/tests/option_unittest.c
    ATF_TC_BODY(parse_X) - new test which verifies
    parse_X() logic.
This commit is contained in:
Thomas Markwalder 2021-05-13 13:22:29 -04:00 committed by Wlodek Wencel
parent b2ca192e64
commit 3d53b2f2a0
3 changed files with 96 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

11
RELNOTES
View File

@ -27,7 +27,7 @@ ISC DHCP is open source software maintained by Internet Systems
Consortium. This product includes cryptographic software written Consortium. This product includes cryptographic software written
by Eric Young (eay@cryptsoft.com). by Eric Young (eay@cryptsoft.com).
Changes since 4.4.2 (New Features) Changes since 4.4.2-P1 (New Features)
- BIND libraries updated to the latest version, 9.11.36. This fixes a number - BIND libraries updated to the latest version, 9.11.36. This fixes a number
of compilation issues on various systems, including OpenWRT. Thanks to of compilation issues on various systems, including OpenWRT. Thanks to
@ -39,7 +39,7 @@ by Eric Young (eay@cryptsoft.com).
and the client Linux script sample was updated. and the client Linux script sample was updated.
[Gitlab #132] [Gitlab #132]
Changes since 4.4.2 (Bug Fixes) Changes since 4.4.2-P1 (Bug Fixes)
- Minor corrections to allow compilation under gcc 10. - Minor corrections to allow compilation under gcc 10.
[Gitlab #117] [Gitlab #117]
@ -73,6 +73,13 @@ by Eric Young (eay@cryptsoft.com).
an object to fail. an object to fail.
[Gitlab #148] [Gitlab #148]
Changes since 4.4.2 (Bug Fixes)
- Corrected a buffer overwrite possible when parsing hexadecimal
literals with more than 1024 octets.
[Gitlab #182]
CVE: CVE-2021-25217
Changes since 4.4.2b1 (Bug Fixes) Changes since 4.4.2b1 (Bug Fixes)
- Added a clarification on DHCPINFORMs and server authority to - Added a clarification on DHCPINFORMs and server authority to

5
common/parse.c
View File

@ -5556,13 +5556,14 @@ int parse_X (cfile, buf, max)
skip_to_semi (cfile); skip_to_semi (cfile);
return 0; return 0;
} }
convert_num (cfile, &buf [len], val, 16, 8); if (len >= max) {
if (len++ > max) {
parse_warn (cfile, parse_warn (cfile,
"hexadecimal constant too long."); "hexadecimal constant too long.");
skip_to_semi (cfile); skip_to_semi (cfile);
return 0; return 0;
} }
convert_num (cfile, &buf [len], val, 16, 8);
len++;
token = peek_token (&val, (unsigned *)0, cfile); token = peek_token (&val, (unsigned *)0, cfile);
if (token == COLON) if (token == COLON)
token = next_token (&val, token = next_token (&val,

84
common/tests/option_unittest.c
View File

@ -129,6 +129,89 @@ ATF_TC_BODY(pretty_print_option, tc)
} }
} }
ATF_TC(parse_X);
ATF_TC_HEAD(parse_X, tc)
{
atf_tc_set_md_var(tc, "descr",
"Verify parse_X survices option too big.");
}
/* Initializes a parse struct from an input buffer of data. */
static void init_parse(struct parse *cfile, char* name, char *input) {
memset(cfile, 0, sizeof(struct parse));
cfile->tlname = name;
cfile->lpos = cfile->line = 1;
cfile->cur_line = cfile->line1;
cfile->prev_line = cfile->line2;
cfile->token_line = cfile->cur_line;
cfile->cur_line[0] = cfile->prev_line[0] = 0;
cfile->file = -1;
cfile->eol_token = 0;
cfile->inbuf = input;
cfile->buflen = strlen(input);
cfile->bufsiz = 0;
}
/*
* This test verifies that parse_X does not overwrite the output
* buffer when given input data that exceeds the output buffer
* capacity.
*/
ATF_TC_BODY(parse_X, tc)
{
struct parse cfile;
u_int8_t output[10];
unsigned len;
/* Input hex literal */
char *input = "01:02:03:04:05:06:07:08";
unsigned expected_len = 8;
/* Normal output plus two filler bytes */
u_int8_t expected_plus_two[] = {
0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0xff, 0xff
};
/* Safe output when option is too long */
unsigned short_buf_len = 4;
u_int8_t expected_too_long[] = {
0x01, 0x02, 0x03, 0x04, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff
};
/* First we'll run one that works normally */
memset(output, 0xff, sizeof(output));
init_parse(&cfile, "hex_fits", input);
len = parse_X(&cfile, output, expected_len);
// Len should match the expected len.
if (len != expected_len) {
atf_tc_fail("parse_X failed, output len: %d", len);
}
// We should not have written anything past the end of the buffer.
if (memcmp(output, expected_plus_two, sizeof(output))) {
atf_tc_fail("parse_X failed, output does not match expected");
}
// Now we'll try it with a buffer that's too small.
init_parse(&cfile, "hex_too_long", input);
memset(output, 0xff, sizeof(output));
len = parse_X(&cfile, output, short_buf_len);
// On errors, len should be zero.
if (len != 0) {
atf_tc_fail("parse_X failed, we should have had an error");
}
// We should not have written anything past the end of the buffer.
if (memcmp(output, expected_too_long, sizeof(output))) {
atf_tc_fail("parse_X overwrote buffer!");
}
}
/* This macro defines main() method that will call specified /* This macro defines main() method that will call specified
test cases. tp and simple_test_case names can be whatever you want test cases. tp and simple_test_case names can be whatever you want
@ -137,6 +220,7 @@ ATF_TP_ADD_TCS(tp)
{ {
ATF_TP_ADD_TC(tp, option_refcnt); ATF_TP_ADD_TC(tp, option_refcnt);
ATF_TP_ADD_TC(tp, pretty_print_option); ATF_TP_ADD_TC(tp, pretty_print_option);
ATF_TP_ADD_TC(tp, parse_X);
return (atf_no_error()); return (atf_no_error());
} }