oss-sec mailing list archives
Re: CVE Request: dhcpcd 3.2.3 remote stack overflow / denial of service
From: Kurt Seifried <kseifried () redhat com>
Date: Wed, 02 May 2012 10:49:32 -0600
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 05/02/2012 10:08 AM, Marcus Meissner wrote:
Hi, I would like a CVE for following issue: One of our customers reported a crash of dhcpcd (a DHCP client) version 3.2.3 as found in our products. This was triggered by regular network traffic happening, so attackers in the local network could inject such a packet. The issue is apparently fixed in dhcpcd-4.0.2 (oldest GIT revision of dhcpcd I can find), as it features the necessary checks on cursory review. Problem is that the "to copyed" size of a packet is decoded from the network data and not checked against the maximum size of the retrieved packet. In dhcpcd 3.2.3 it is copied to a fixed size stackbuffer on some paths and so overwrites stack. On our SLE11 product this is caught by -fstack-protector, turning this into a remote denial of service (crash). Place to look for places like this: bytes = get_udp_data(&pp, packet); if ((size_t)bytes > sizeof(*dhcp)) { syslog(LOG_ERR, "%s: packet greater than DHCP size from %s", iface->name, inet_ntoa(from)); continue; } bytes is calculated from packet data and not bounded in get_udp_data(). So without the if() check, it would later copy over bytes into a fixed buffer in some paths. Also: bytes = packet.bh_caplen - ETHER_HDR_LEN; if (bytes > len) bytes = len; memcpy(data, payload, bytes); I have pasted the current patch we use against our quite heavily patches dhcpcd 3.2.3 on https://bugzilla.novell.com/show_bug.cgi?id=760334 Reference: https://bugzilla.novell.com/show_bug.cgi?id=760334 Ciao, Marcus
For the record: this is about as perfect as a CVE request gets =) Please use CVE-2012-2152 for this issue. - -- Kurt Seifried Red Hat Security Response Team (SRT) PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQIcBAEBAgAGBQJPoWWbAAoJEBYNRVNeJnmTSyQQANX5RzPCr5crrVvVdzbhHVeE E6eG+VrU1+6kW16ELlC6NntivQWXtx0PiwSR6WMqfaFw69+RJOAHTYYheQYjhAkv WzG84mqZHFAXRPwh7mB19vq4W2YhVt58MvDAQOXojX5FmBR9jPxXvKKU3qQR+6b3 tU7JytuzJ7PCUHFLrERnKyda9yiawQvE09IJJpeiyIqha0ZHayYXCatyRetpMPQP 8YzPOZ1aLBJEkbjFTY441npKH8tu0RyDyafhRjpz4i3YUT+XxpWRQ3oA7EnTfNWN izFp/epIQQ+YPPYs5mw5cLBZip2XvQhf2G+OLAMN9R+tySD32VqbBBrHP+OZoUrE XZjo2h1adm/r2siETX3mkdUvT8rxarJP9j2l0VQOQ8gIQViI7I+PjupA7mfFT2NS IOQrZeqlmzuJc9cnerlK5iED5BhAiXhvt3TzhDrUMRQNRL2QIRUeTb5lI34mtf2Y wSgl2wchARkN8c4Rok/zFMGDh+2MN/EmfscHqcBZJ9zhZ7giQADjcyG9wPMnJzmd GSDKmZMcQ8zIqyvZEE2OdoXc8SoKEwSDk7kD5eXw8NVn+mZY8knsCyGPLfCAEQX2 qzDolOadO+1nyl/nENicdKCeV64dLe5x+8el7KWGlaID7bMpNMRfez0myUcOcvR/ RgECkrqMseLYbStFKlS2 =5d9X -----END PGP SIGNATURE-----
Current thread:
- CVE Request: dhcpcd 3.2.3 remote stack overflow / denial of service Marcus Meissner (May 02)
- Re: CVE Request: dhcpcd 3.2.3 remote stack overflow / denial of service Kurt Seifried (May 02)