diff options
Diffstat (limited to 'sys-apps/busybox/files/busybox-1.24.2-CVE-2016-2147.patch')
| -rw-r--r-- | sys-apps/busybox/files/busybox-1.24.2-CVE-2016-2147.patch | 72 |
1 files changed, 72 insertions, 0 deletions
diff --git a/sys-apps/busybox/files/busybox-1.24.2-CVE-2016-2147.patch b/sys-apps/busybox/files/busybox-1.24.2-CVE-2016-2147.patch new file mode 100644 index 000000000000..2187c9b6732c --- /dev/null +++ b/sys-apps/busybox/files/busybox-1.24.2-CVE-2016-2147.patch @@ -0,0 +1,72 @@ +From 3c4de6e36c4d387a648622e7b828a05f2b1b47e6 Mon Sep 17 00:00:00 2001 +From: Denys Vlasenko <vda.linux@googlemail.com> +Date: Fri, 26 Feb 2016 15:54:56 +0100 +Subject: [PATCH] udhcpc: fix OPTION_6RD parsing (could overflow its malloced + buffer) + +Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com> +Signed-off-by: Mike Frysinger <vapier@gentoo.org> +(cherry picked from commit 352f79acbd759c14399e39baef21fc4ffe180ac2) +--- + networking/udhcp/common.c | 15 +++++++++++++-- + networking/udhcp/dhcpc.c | 4 ++-- + 2 files changed, 15 insertions(+), 4 deletions(-) + +diff --git a/networking/udhcp/common.c b/networking/udhcp/common.c +index bc41c8d..680852c 100644 +--- a/networking/udhcp/common.c ++++ b/networking/udhcp/common.c +@@ -142,7 +142,7 @@ const char dhcp_option_strings[] ALIGN1 = + * udhcp_str2optset: to determine how many bytes to allocate. + * xmalloc_optname_optval: to estimate string length + * from binary option length: (option[LEN] / dhcp_option_lengths[opt_type]) +- * is the number of elements, multiply in by one element's string width ++ * is the number of elements, multiply it by one element's string width + * (len_of_option_as_string[opt_type]) and you know how wide string you need. + */ + const uint8_t dhcp_option_lengths[] ALIGN1 = { +@@ -162,7 +162,18 @@ const uint8_t dhcp_option_lengths[] ALIGN1 = { + [OPTION_S32] = 4, + /* Just like OPTION_STRING, we use minimum length here */ + [OPTION_STATIC_ROUTES] = 5, +- [OPTION_6RD] = 22, /* ignored by udhcp_str2optset */ ++ [OPTION_6RD] = 12, /* ignored by udhcp_str2optset */ ++ /* The above value was chosen as follows: ++ * len_of_option_as_string[] for this option is >60: it's a string of the form ++ * "32 128 ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff 255.255.255.255 ". ++ * Each additional ipv4 address takes 4 bytes in binary option and appends ++ * another "255.255.255.255 " 16-byte string. We can set [OPTION_6RD] = 4 ++ * but this severely overestimates string length: instead of 16 bytes, ++ * it adds >60 for every 4 bytes in binary option. ++ * We cheat and declare here that option is in units of 12 bytes. ++ * This adds more than 60 bytes for every three ipv4 addresses - more than enough. ++ * (Even 16 instead of 12 should work, but let's be paranoid). ++ */ + }; + + +diff --git a/networking/udhcp/dhcpc.c b/networking/udhcp/dhcpc.c +index 915f659..2332b57 100644 +--- a/networking/udhcp/dhcpc.c ++++ b/networking/udhcp/dhcpc.c +@@ -113,7 +113,7 @@ static const uint8_t len_of_option_as_string[] = { + [OPTION_IP ] = sizeof("255.255.255.255 "), + [OPTION_IP_PAIR ] = sizeof("255.255.255.255 ") * 2, + [OPTION_STATIC_ROUTES ] = sizeof("255.255.255.255/32 255.255.255.255 "), +- [OPTION_6RD ] = sizeof("32 128 ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff 255.255.255.255 "), ++ [OPTION_6RD ] = sizeof("132 128 ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff 255.255.255.255 "), + [OPTION_STRING ] = 1, + [OPTION_STRING_HOST ] = 1, + #if ENABLE_FEATURE_UDHCP_RFC3397 +@@ -220,7 +220,7 @@ static NOINLINE char *xmalloc_optname_optval(uint8_t *option, const struct dhcp_ + type = optflag->flags & OPTION_TYPE_MASK; + optlen = dhcp_option_lengths[type]; + upper_length = len_of_option_as_string[type] +- * ((unsigned)(len + optlen - 1) / (unsigned)optlen); ++ * ((unsigned)(len + optlen) / (unsigned)optlen); + + dest = ret = xmalloc(upper_length + strlen(opt_name) + 2); + dest += sprintf(ret, "%s=", opt_name); +-- +2.7.4 + |