Re: CVE Request: dhcpcd 3.2.3 remote stack overflow / denial of service

[Kurt Seifried <kseifried () redhat com>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 05/02/2012 10:08 AM, Marcus Meissner wrote:
> Hi,
>
> I would like a CVE for following issue:
>
> One of our customers reported a crash of dhcpcd (a DHCP client)
> version 3.2.3 as found in our products.
>
> This was triggered by regular network traffic happening, so
> attackers in the local network could inject such a packet.
>
> The issue is apparently fixed in dhcpcd-4.0.2 (oldest GIT revision
> of dhcpcd I can find), as it features the necessary checks on
> cursory review.
>
>
> Problem is that the "to copyed" size of a packet is decoded from
> the network data and not checked against the maximum size of the
> retrieved packet.
>
> In dhcpcd 3.2.3 it is copied to a fixed size stackbuffer on some
> paths and so overwrites stack.
>
> On our SLE11 product this is caught by -fstack-protector, turning
> this into a remote denial of service (crash).
>
> Place to look for places like this:
>
> bytes = get_udp_data(&pp, packet); if ((size_t)bytes >
> sizeof(*dhcp)) { syslog(LOG_ERR, "%s: packet greater than DHCP size
> from %s", iface->name, inet_ntoa(from)); continue; }
>
> bytes is calculated from packet data and not bounded in
> get_udp_data(). So without the if() check, it would later copy over
> bytes into a fixed buffer in some paths.
>
> Also: bytes = packet.bh_caplen - ETHER_HDR_LEN; if (bytes > len) 
> bytes = len; memcpy(data, payload, bytes);
>
> I have pasted the current patch we use against our quite heavily
> patches dhcpcd 3.2.3 on
> https://bugzilla.novell.com/show_bug.cgi?id=760334
>
> Reference: https://bugzilla.novell.com/show_bug.cgi?id=760334
>
> Ciao, Marcus

For the record: this is about as perfect as a CVE request gets =)

Please use CVE-2012-2152  for this issue.

- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQIcBAEBAgAGBQJPoWWbAAoJEBYNRVNeJnmTSyQQANX5RzPCr5crrVvVdzbhHVeE
E6eG+VrU1+6kW16ELlC6NntivQWXtx0PiwSR6WMqfaFw69+RJOAHTYYheQYjhAkv
WzG84mqZHFAXRPwh7mB19vq4W2YhVt58MvDAQOXojX5FmBR9jPxXvKKU3qQR+6b3
tU7JytuzJ7PCUHFLrERnKyda9yiawQvE09IJJpeiyIqha0ZHayYXCatyRetpMPQP
8YzPOZ1aLBJEkbjFTY441npKH8tu0RyDyafhRjpz4i3YUT+XxpWRQ3oA7EnTfNWN
izFp/epIQQ+YPPYs5mw5cLBZip2XvQhf2G+OLAMN9R+tySD32VqbBBrHP+OZoUrE
XZjo2h1adm/r2siETX3mkdUvT8rxarJP9j2l0VQOQ8gIQViI7I+PjupA7mfFT2NS
IOQrZeqlmzuJc9cnerlK5iED5BhAiXhvt3TzhDrUMRQNRL2QIRUeTb5lI34mtf2Y
wSgl2wchARkN8c4Rok/zFMGDh+2MN/EmfscHqcBZJ9zhZ7giQADjcyG9wPMnJzmd
GSDKmZMcQ8zIqyvZEE2OdoXc8SoKEwSDk7kD5eXw8NVn+mZY8knsCyGPLfCAEQX2
qzDolOadO+1nyl/nENicdKCeV64dLe5x+8el7KWGlaID7bMpNMRfez0myUcOcvR/
RgECkrqMseLYbStFKlS2
=5d9X
-----END PGP SIGNATURE-----