Bug 238022 - buffer overrun in function make_request in sbin/dhclient/dhclient.c
Summary: buffer overrun in function make_request in sbin/dhclient/dhclient.c
Status: New
Alias: None
Product: Base System
Classification: Unclassified
Component: kern (show other bugs)
Version: CURRENT
Hardware: Any Any
: --- Affects Many People
Assignee: freebsd-bugs mailing list
URL:
Keywords: patch
Depends on:
Blocks:
 
Reported: 2019-05-21 13:14 UTC by Young
Modified: 2019-05-25 19:55 UTC (History)
1 user (show)

See Also:


Attachments
Proposed patch (1.13 KB, application/mbox)
2019-05-21 13:14 UTC, Young
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description Young 2019-05-21 13:14:52 UTC
Created attachment 204510 [details]
Proposed patch

There is a buffer overrun vulnerability in function make_request of sbin/dhclient/dhclient.c, which is similar to the vulnerability that was fixed in https://github.com/freebsd/freebsd/commit/16b93d101357f716946014207ddfe9d849f97fc9.

        /* set unique client identifier */
        char client_ident[sizeof(struct hardware)];
        if (!options[DHO_DHCP_CLIENT_IDENTIFIER]) {
                int hwlen = (ip->hw_address.hlen < sizeof(client_ident)-1) ?
                                ip->hw_address.hlen : sizeof(client_ident)-1;
                client_ident[0] = ip->hw_address.htype;
                memcpy(&client_ident[1], ip->hw_address.haddr, hwlen);
                options[DHO_DHCP_CLIENT_IDENTIFIER] = &option_elements[DHO_DHCP_CLIENT_IDENTIFIER];
                options[DHO_DHCP_CLIENT_IDENTIFIER]->value = client_ident;
                options[DHO_DHCP_CLIENT_IDENTIFIER]->len = hwlen+1;
                options[DHO_DHCP_CLIENT_IDENTIFIER]->buf_size = hwlen+1;
                options[DHO_DHCP_CLIENT_IDENTIFIER]->timeout = 0xFFFFFFFF;
        }

A DHCP client identifier is simply the hardware type (one byte) concatenated with the hardware address.
We should set the lengthe of clinet_ident to sizeof(ip->hw_address.haddr) + 1, instead of sizeof(struct hardware).

The attachment is the proposed patch.