CVE Request: dhcpcd 3.2.3 remote stack overflow / denial of service

[Marcus Meissner <meissner () suse de>]

Hi,

I would like a CVE for following issue:

One of our customers reported a crash of dhcpcd (a DHCP client) version
3.2.3 as found in our products.

This was triggered by regular network traffic happening, so attackers
in the local network could inject such a packet.

The issue is apparently fixed in dhcpcd-4.0.2 (oldest GIT revision of
dhcpcd I can find), as it features the necessary checks on cursory review.


Problem is that the "to copyed" size of a packet is decoded from the network data
and not checked against the maximum size of the retrieved packet.

In dhcpcd 3.2.3 it is copied to a fixed size stackbuffer on some paths
and so overwrites stack.

On our SLE11 product this is caught by -fstack-protector, turning this
into a remote denial of service (crash).

Place to look for places like this:

                bytes = get_udp_data(&pp, packet);
                if ((size_t)bytes > sizeof(*dhcp)) {
                        syslog(LOG_ERR,
                            "%s: packet greater than DHCP size from %s",
                            iface->name, inet_ntoa(from));
                        continue;
                }

bytes is calculated from packet data and not bounded in get_udp_data().
So without the if() check, it would later copy over bytes into a fixed buffer
in some paths.

Also:
                bytes = packet.bh_caplen - ETHER_HDR_LEN;
                if (bytes > len)
                        bytes = len;
                memcpy(data, payload, bytes);

I have pasted the current patch we use against our quite heavily patches dhcpcd 3.2.3
on https://bugzilla.novell.com/show_bug.cgi?id=760334

Reference: https://bugzilla.novell.com/show_bug.cgi?id=760334

Ciao, Marcus