Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Wed, 02 May 2012 10:49:32 -0600
From: Kurt Seifried <kseifried@...hat.com>
To: oss-security@...ts.openwall.com
CC: Marcus Meissner <meissner@...e.de>
Subject: Re: CVE Request: dhcpcd 3.2.3 remote stack overflow
 / denial of service

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 05/02/2012 10:08 AM, Marcus Meissner wrote:
> Hi,
> 
> I would like a CVE for following issue:
> 
> One of our customers reported a crash of dhcpcd (a DHCP client)
> version 3.2.3 as found in our products.
> 
> This was triggered by regular network traffic happening, so
> attackers in the local network could inject such a packet.
> 
> The issue is apparently fixed in dhcpcd-4.0.2 (oldest GIT revision
> of dhcpcd I can find), as it features the necessary checks on
> cursory review.
> 
> 
> Problem is that the "to copyed" size of a packet is decoded from
> the network data and not checked against the maximum size of the
> retrieved packet.
> 
> In dhcpcd 3.2.3 it is copied to a fixed size stackbuffer on some
> paths and so overwrites stack.
> 
> On our SLE11 product this is caught by -fstack-protector, turning
> this into a remote denial of service (crash).
> 
> Place to look for places like this:
> 
> bytes = get_udp_data(&pp, packet); if ((size_t)bytes >
> sizeof(*dhcp)) { syslog(LOG_ERR, "%s: packet greater than DHCP size
> from %s", iface->name, inet_ntoa(from)); continue; }
> 
> bytes is calculated from packet data and not bounded in
> get_udp_data(). So without the if() check, it would later copy over
> bytes into a fixed buffer in some paths.
> 
> Also: bytes = packet.bh_caplen - ETHER_HDR_LEN; if (bytes > len) 
> bytes = len; memcpy(data, payload, bytes);
> 
> I have pasted the current patch we use against our quite heavily
> patches dhcpcd 3.2.3 on
> https://bugzilla.novell.com/show_bug.cgi?id=760334
> 
> Reference: https://bugzilla.novell.com/show_bug.cgi?id=760334
> 
> Ciao, Marcus

For the record: this is about as perfect as a CVE request gets =)

Please use CVE-2012-2152  for this issue.

- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQIcBAEBAgAGBQJPoWWbAAoJEBYNRVNeJnmTSyQQANX5RzPCr5crrVvVdzbhHVeE
E6eG+VrU1+6kW16ELlC6NntivQWXtx0PiwSR6WMqfaFw69+RJOAHTYYheQYjhAkv
WzG84mqZHFAXRPwh7mB19vq4W2YhVt58MvDAQOXojX5FmBR9jPxXvKKU3qQR+6b3
tU7JytuzJ7PCUHFLrERnKyda9yiawQvE09IJJpeiyIqha0ZHayYXCatyRetpMPQP
8YzPOZ1aLBJEkbjFTY441npKH8tu0RyDyafhRjpz4i3YUT+XxpWRQ3oA7EnTfNWN
izFp/epIQQ+YPPYs5mw5cLBZip2XvQhf2G+OLAMN9R+tySD32VqbBBrHP+OZoUrE
XZjo2h1adm/r2siETX3mkdUvT8rxarJP9j2l0VQOQ8gIQViI7I+PjupA7mfFT2NS
IOQrZeqlmzuJc9cnerlK5iED5BhAiXhvt3TzhDrUMRQNRL2QIRUeTb5lI34mtf2Y
wSgl2wchARkN8c4Rok/zFMGDh+2MN/EmfscHqcBZJ9zhZ7giQADjcyG9wPMnJzmd
GSDKmZMcQ8zIqyvZEE2OdoXc8SoKEwSDk7kD5eXw8NVn+mZY8knsCyGPLfCAEQX2
qzDolOadO+1nyl/nENicdKCeV64dLe5x+8el7KWGlaID7bMpNMRfez0myUcOcvR/
RgECkrqMseLYbStFKlS2
=5d9X
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.