oss-sec mailing list archives
CVE Request: dhcpcd 3.2.3 remote stack overflow / denial of service
From: Marcus Meissner <meissner () suse de>
Date: Wed, 2 May 2012 18:08:03 +0200
Hi, I would like a CVE for following issue: One of our customers reported a crash of dhcpcd (a DHCP client) version 3.2.3 as found in our products. This was triggered by regular network traffic happening, so attackers in the local network could inject such a packet. The issue is apparently fixed in dhcpcd-4.0.2 (oldest GIT revision of dhcpcd I can find), as it features the necessary checks on cursory review. Problem is that the "to copyed" size of a packet is decoded from the network data and not checked against the maximum size of the retrieved packet. In dhcpcd 3.2.3 it is copied to a fixed size stackbuffer on some paths and so overwrites stack. On our SLE11 product this is caught by -fstack-protector, turning this into a remote denial of service (crash). Place to look for places like this: bytes = get_udp_data(&pp, packet); if ((size_t)bytes > sizeof(*dhcp)) { syslog(LOG_ERR, "%s: packet greater than DHCP size from %s", iface->name, inet_ntoa(from)); continue; } bytes is calculated from packet data and not bounded in get_udp_data(). So without the if() check, it would later copy over bytes into a fixed buffer in some paths. Also: bytes = packet.bh_caplen - ETHER_HDR_LEN; if (bytes > len) bytes = len; memcpy(data, payload, bytes); I have pasted the current patch we use against our quite heavily patches dhcpcd 3.2.3 on https://bugzilla.novell.com/show_bug.cgi?id=760334 Reference: https://bugzilla.novell.com/show_bug.cgi?id=760334 Ciao, Marcus
Current thread:
- CVE Request: dhcpcd 3.2.3 remote stack overflow / denial of service Marcus Meissner (May 02)
- Re: CVE Request: dhcpcd 3.2.3 remote stack overflow / denial of service Kurt Seifried (May 02)