Bug 255098 - dhclient dns-label compression bug
Summary: dhclient dns-label compression bug
Status: New
Alias: None
Product: Base System
Classification: Unclassified
Component: bin (show other bugs)
Version: 12.2-RELEASE
Hardware: Any Any
: --- Affects Many People
Assignee: freebsd-bugs (Nobody)
Depends on:
Reported: 2021-04-15 19:11 UTC by paul vixie
Modified: 2021-04-18 06:00 UTC (History)
1 user (show)

See Also:

patch to fix a decompression bug long since fixed upstream (705 bytes, patch)
2021-04-15 19:11 UTC, paul vixie
no flags Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description paul vixie 2021-04-15 19:11:53 UTC
Created attachment 224142 [details]
patch to fix a decompression bug long since fixed upstream

there is a bug in the dns-label decompression logic here, discovered by auditing the code at mark andrews' behest, after reading the forescout report which unfairly maligned freebsd has having a vulnerability in its "stack".

this code is a copy of something in libresolv, and this bug was fixed long ago in libresolv, and in ISC DHCP, but not in the freebsd (by way of openbsd) version. therefore, see attached patch.

0xC0 is 0b11000000. the "11" indicates a 14-bit compression pointer (offset from the start of the message). other patterns are "01" and "10" which have sometimes been defined but are currently reserved.

only where the pattern is "11" should the 14-bit compression pointer be used.
Comment 1 marka 2021-04-16 00:58:44 UTC
Note the submitted patch is incomplete.

len > 63 and < 192 also need to be rejected.
Comment 2 paul vixie 2021-04-18 06:00:41 UTC
(In reply to marka from comment #1)

don't be shy -- include a patch, like i did?