fdo-mirrors/NetworkManager
1
0
Fork 0
mirror of https://gitlab.freedesktop.org/NetworkManager/NetworkManager.git synced 2026-01-01 18:50:12 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions

systemd: merge branch 'systemd-dhcp6-fix'

Browse source 
Backport a series of upstream patches from systemd, related
to out-of-bounds heap write with DHCPv6.

On master, we anyway will do a full re-import of systemd code.
Cherry-pick individual patches first, to make backporting easier.

CVE-2018-15688
This commit is contained in:
Thomas Haller 2018-10-27 22:20:11 +02:00
commit ef7312a3ae
5 changed files with 94 additions and 107 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

4
src/systemd/src/libsystemd-network/dhcp6-internal.h
View file

@ -84,8 +84,8 @@ typedef struct DHCP6IA DHCP6IA;
int dhcp6_option_append(uint8_t **buf, size_t *buflen, uint16_t code,
size_t optlen, const void *optval);
int dhcp6_option_append_ia(uint8_t **buf, size_t *buflen, DHCP6IA *ia);
int dhcp6_option_append_pd(uint8_t *buf, size_t len, DHCP6IA *pd);
int dhcp6_option_append_ia(uint8_t **buf, size_t *buflen, const DHCP6IA *ia);
int dhcp6_option_append_pd(uint8_t *buf, size_t len, const DHCP6IA *pd);
int dhcp6_option_append_fqdn(uint8_t **buf, size_t *buflen, const char *fqdn);
int dhcp6_option_parse(uint8_t **buf, size_t *buflen, uint16_t *optcode,
size_t *optlen, uint8_t **optvalue);

158
src/systemd/src/libsystemd-network/dhcp6-option.c
View file

@ -39,9 +39,9 @@ typedef struct DHCP6PDPrefixOption {
uint8_t options[];
} _packed_ DHCP6PDPrefixOption;
#define DHCP6_OPTION_IA_NA_LEN (sizeof(struct ia_na))
#define DHCP6_OPTION_IA_PD_LEN (sizeof(struct ia_pd))
#define DHCP6_OPTION_IA_TA_LEN (sizeof(struct ia_ta))
#define DHCP6_OPTION_IA_NA_LEN (sizeof(struct ia_na))
#define DHCP6_OPTION_IA_PD_LEN (sizeof(struct ia_pd))
#define DHCP6_OPTION_IA_TA_LEN (sizeof(struct ia_ta))
static int option_append_hdr(uint8_t **buf, size_t *buflen, uint16_t optcode,
size_t optlen) {
@ -51,14 +51,14 @@ static int option_append_hdr(uint8_t **buf, size_t *buflen, uint16_t optcode,
assert_return(*buf, -EINVAL);
assert_return(buflen, -EINVAL);
if (optlen > 0xffff || *buflen < optlen + sizeof(DHCP6Option))
if (optlen > 0xffff || *buflen < optlen + offsetof(DHCP6Option, data))
return -ENOBUFS;
option->code = htobe16(optcode);
option->len = htobe16(optlen);
*buf += sizeof(DHCP6Option);
*buflen -= sizeof(DHCP6Option);
*buf += offsetof(DHCP6Option, data);
*buflen -= offsetof(DHCP6Option, data);
return 0;
}
@ -81,14 +81,17 @@ int dhcp6_option_append(uint8_t **buf, size_t *buflen, uint16_t code,
return 0;
}
int dhcp6_option_append_ia(uint8_t **buf, size_t *buflen, DHCP6IA *ia) {
int dhcp6_option_append_ia(uint8_t **buf, size_t *buflen, const DHCP6IA *ia) {
uint16_t len;
uint8_t *ia_hdr;
size_t iaid_offset, ia_buflen, ia_addrlen = 0;
DHCP6Address *addr;
int r;
assert_return(buf && *buf && buflen && ia, -EINVAL);
assert_return(buf, -EINVAL);
assert_return(*buf, -EINVAL);
assert_return(buflen, -EINVAL);
assert_return(ia, -EINVAL);
switch (ia->type) {
case SD_DHCP6_OPTION_IA_NA:
@ -105,14 +108,14 @@ int dhcp6_option_append_ia(uint8_t **buf, size_t *buflen, DHCP6IA *ia) {
return -EINVAL;
}
if (*buflen < len)
if (*buflen < offsetof(DHCP6Option, data) + len)
return -ENOBUFS;
ia_hdr = *buf;
ia_buflen = *buflen;
*buf += sizeof(DHCP6Option);
*buflen -= sizeof(DHCP6Option);
*buf += offsetof(DHCP6Option, data);
*buflen -= offsetof(DHCP6Option, data);
memcpy(*buf, (char*) ia + iaid_offset, len);
@ -130,7 +133,7 @@ int dhcp6_option_append_ia(uint8_t **buf, size_t *buflen, DHCP6IA *ia) {
*buf += sizeof(addr->iaaddr);
*buflen -= sizeof(addr->iaaddr);
ia_addrlen += sizeof(DHCP6Option) + sizeof(addr->iaaddr);
ia_addrlen += offsetof(DHCP6Option, data) + sizeof(addr->iaaddr);
}
r = option_append_hdr(&ia_hdr, &ia_buflen, ia->type, len + ia_addrlen);
@ -167,7 +170,7 @@ int dhcp6_option_append_fqdn(uint8_t **buf, size_t *buflen, const char *fqdn) {
return r;
}
int dhcp6_option_append_pd(uint8_t *buf, size_t len, DHCP6IA *pd) {
int dhcp6_option_append_pd(uint8_t *buf, size_t len, const DHCP6IA *pd) {
DHCP6Option *option = (DHCP6Option *)buf;
size_t i = sizeof(*option) + sizeof(pd->ia_pd);
DHCP6Address *prefix;
@ -212,7 +215,7 @@ static int option_parse_hdr(uint8_t **buf, size_t *buflen, uint16_t *optcode, si
assert_return(optcode, -EINVAL);
assert_return(optlen, -EINVAL);
if (*buflen < sizeof(DHCP6Option))
if (*buflen < offsetof(DHCP6Option, data))
return -ENOMSG;
len = be16toh(option->len);
@ -253,7 +256,7 @@ int dhcp6_option_parse_status(DHCP6Option *option, size_t len) {
DHCP6StatusOption *statusopt = (DHCP6StatusOption *)option;
if (len < sizeof(DHCP6StatusOption) ||
be16toh(option->len) + sizeof(DHCP6Option) < sizeof(DHCP6StatusOption))
be16toh(option->len) + offsetof(DHCP6Option, data) < sizeof(DHCP6StatusOption))
return -ENOBUFS;
return be16toh(statusopt->status);
@ -266,7 +269,7 @@ static int dhcp6_option_parse_address(DHCP6Option *option, DHCP6IA *ia,
uint32_t lt_valid, lt_pref;
int r;
if (be16toh(option->len) + sizeof(DHCP6Option) < sizeof(*addr_option))
if (be16toh(option->len) + offsetof(DHCP6Option, data) < sizeof(*addr_option))
return -ENOBUFS;
lt_valid = be32toh(addr_option->iaaddr.lifetime_valid);
@ -279,8 +282,8 @@ static int dhcp6_option_parse_address(DHCP6Option *option, DHCP6IA *ia,
return 0;
}
if (be16toh(option->len) + sizeof(DHCP6Option) > sizeof(*addr_option)) {
r = dhcp6_option_parse_status((DHCP6Option *)addr_option->options, be16toh(option->len) + sizeof(DHCP6Option) - sizeof(*addr_option));
if (be16toh(option->len) + offsetof(DHCP6Option, data) > sizeof(*addr_option)) {
r = dhcp6_option_parse_status((DHCP6Option *)addr_option->options, be16toh(option->len) + offsetof(DHCP6Option, data) - sizeof(*addr_option));
if (r != 0)
return r < 0 ? r: 0;
}
@ -306,7 +309,7 @@ static int dhcp6_option_parse_pdprefix(DHCP6Option *option, DHCP6IA *ia,
uint32_t lt_valid, lt_pref;
int r;
if (be16toh(option->len) + sizeof(DHCP6Option) < sizeof(*pdprefix_option))
if (be16toh(option->len) + offsetof(DHCP6Option, data) < sizeof(*pdprefix_option))
return -ENOBUFS;
lt_valid = be32toh(pdprefix_option->iapdprefix.lifetime_valid);
@ -319,8 +322,8 @@ static int dhcp6_option_parse_pdprefix(DHCP6Option *option, DHCP6IA *ia,
return 0;
}
if (be16toh(option->len) + sizeof(DHCP6Option) > sizeof(*pdprefix_option)) {
r = dhcp6_option_parse_status((DHCP6Option *)pdprefix_option->options, be16toh(option->len) + sizeof(DHCP6Option) - sizeof(*pdprefix_option));
if (be16toh(option->len) + offsetof(DHCP6Option, data) > sizeof(*pdprefix_option)) {
r = dhcp6_option_parse_status((DHCP6Option *)pdprefix_option->options, be16toh(option->len) + offsetof(DHCP6Option, data) - sizeof(*pdprefix_option));
if (r != 0)
return r < 0 ? r: 0;
}
@ -356,10 +359,8 @@ int dhcp6_option_parse_ia(DHCP6Option *iaoption, DHCP6IA *ia) {
switch (iatype) {
case SD_DHCP6_OPTION_IA_NA:
if (len < DHCP6_OPTION_IA_NA_LEN) {
r = -ENOBUFS;
goto error;
}
if (len < DHCP6_OPTION_IA_NA_LEN)
return -ENOBUFS;
iaaddr_offset = DHCP6_OPTION_IA_NA_LEN;
memcpy(&ia->ia_na, iaoption->data, sizeof(ia->ia_na));
@ -370,18 +371,15 @@ int dhcp6_option_parse_ia(DHCP6Option *iaoption, DHCP6IA *ia) {
if (lt_t1 && lt_t2 && lt_t1 > lt_t2) {
log_dhcp6_client(client, "IA NA T1 %ds > T2 %ds",
lt_t1, lt_t2);
r = -EINVAL;
goto error;
return -EINVAL;
}
break;
case SD_DHCP6_OPTION_IA_PD:
if (len < sizeof(ia->ia_pd)) {
r = -ENOBUFS;
goto error;
}
if (len < sizeof(ia->ia_pd))
return -ENOBUFS;
iaaddr_offset = sizeof(ia->ia_pd);
memcpy(&ia->ia_pd, iaoption->data, sizeof(ia->ia_pd));
@ -392,17 +390,14 @@ int dhcp6_option_parse_ia(DHCP6Option *iaoption, DHCP6IA *ia) {
if (lt_t1 && lt_t2 && lt_t1 > lt_t2) {
log_dhcp6_client(client, "IA PD T1 %ds > T2 %ds",
lt_t1, lt_t2);
r = -EINVAL;
goto error;
return -EINVAL;
}
break;
case SD_DHCP6_OPTION_IA_TA:
if (len < DHCP6_OPTION_IA_TA_LEN) {
r = -ENOBUFS;
goto error;
}
if (len < DHCP6_OPTION_IA_TA_LEN)
return -ENOBUFS;
iaaddr_offset = DHCP6_OPTION_IA_TA_LEN;
memcpy(&ia->ia_ta.id, iaoption->data, sizeof(ia->ia_ta));
@ -410,8 +405,7 @@ int dhcp6_option_parse_ia(DHCP6Option *iaoption, DHCP6IA *ia) {
break;
default:
r = -ENOMSG;
goto error;
return -ENOMSG;
}
ia->type = iatype;
@ -420,10 +414,8 @@ int dhcp6_option_parse_ia(DHCP6Option *iaoption, DHCP6IA *ia) {
while (i < len) {
DHCP6Option *option = (DHCP6Option *)&iaoption->data[i];
if (len < i + sizeof(*option) || len < i + sizeof(*option) + be16toh(option->len)) {
r = -ENOBUFS;
goto error;
}
if (len < i + sizeof(*option) || len < i + sizeof(*option) + be16toh(option->len))
return -ENOBUFS;
opt = be16toh(option->code);
optlen = be16toh(option->len);
@ -433,13 +425,12 @@ int dhcp6_option_parse_ia(DHCP6Option *iaoption, DHCP6IA *ia) {
if (!IN_SET(ia->type, SD_DHCP6_OPTION_IA_NA, SD_DHCP6_OPTION_IA_TA)) {
log_dhcp6_client(client, "IA Address option not in IA NA or TA option");
r = -EINVAL;
goto error;
return -EINVAL;
}
r = dhcp6_option_parse_address(option, ia, &lt_valid);
if (r < 0)
goto error;
return r;
if (lt_valid < lt_min)
lt_min = lt_valid;
@ -450,13 +441,12 @@ int dhcp6_option_parse_ia(DHCP6Option *iaoption, DHCP6IA *ia) {
if (!IN_SET(ia->type, SD_DHCP6_OPTION_IA_PD)) {
log_dhcp6_client(client, "IA PD Prefix option not in IA PD option");
r = -EINVAL;
goto error;
return -EINVAL;
}
r = dhcp6_option_parse_pdprefix(option, ia, &lt_valid);
if (r < 0)
goto error;
return r;
if (lt_valid < lt_min)
lt_min = lt_valid;
@ -465,15 +455,14 @@ int dhcp6_option_parse_ia(DHCP6Option *iaoption, DHCP6IA *ia) {
case SD_DHCP6_OPTION_STATUS_CODE:
status = dhcp6_option_parse_status(option, optlen);
if (status) {
status = dhcp6_option_parse_status(option, optlen + offsetof(DHCP6Option, data));
if (status < 0)
return status;
if (status > 0) {
log_dhcp6_client(client, "IA status %d",
status);
dhcp6_lease_free_ia(ia);
r = -EINVAL;
goto error;
return -EINVAL;
}
break;
@ -517,8 +506,7 @@ int dhcp6_option_parse_ia(DHCP6Option *iaoption, DHCP6IA *ia) {
break;
}
error:
return r;
return 0;
}
int dhcp6_option_parse_ip6addrs(uint8_t *optval, uint16_t optlen,
@ -553,6 +541,7 @@ int dhcp6_option_parse_domainname(const uint8_t *optval, uint16_t optlen, char *
bool first = true;
for (;;) {
const char *label;
uint8_t c;
c = optval[pos++];
@ -560,47 +549,41 @@ int dhcp6_option_parse_domainname(const uint8_t *optval, uint16_t optlen, char *
if (c == 0)
/* End of name */
break;
else if (c <= 63) {
const char *label;
if (c > 63)
return -EBADMSG;
/* Literal label */
label = (const char *)&optval[pos];
pos += c;
if (pos >= optlen)
return -EMSGSIZE;
/* Literal label */
label = (const char *)&optval[pos];
pos += c;
if (pos >= optlen)
return -EMSGSIZE;
if (!GREEDY_REALLOC(ret, allocated, n + !first + DNS_LABEL_ESCAPED_MAX)) {
r = -ENOMEM;
goto fail;
}
if (!GREEDY_REALLOC(ret, allocated, n + !first + DNS_LABEL_ESCAPED_MAX))
return -ENOMEM;
if (first)
first = false;
else
ret[n++] = '.';
if (first)
first = false;
else
ret[n++] = '.';
r = dns_label_escape(label, c, ret + n, DNS_LABEL_ESCAPED_MAX);
if (r < 0)
goto fail;
r = dns_label_escape(label, c, ret + n, DNS_LABEL_ESCAPED_MAX);
if (r < 0)
return r;
n += r;
continue;
} else {
r = -EBADMSG;
goto fail;
}
n += r;
}
if (!GREEDY_REALLOC(ret, allocated, n + 1)) {
r = -ENOMEM;
goto fail;
}
if (n == 0)
continue;
if (!GREEDY_REALLOC(ret, allocated, n + 1))
return -ENOMEM;
ret[n] = 0;
r = strv_extend(&names, ret);
if (r < 0)
goto fail;
return r;
idx++;
}
@ -608,7 +591,4 @@ int dhcp6_option_parse_domainname(const uint8_t *optval, uint16_t optlen, char *
*str_arr = TAKE_PTR(names);
return idx;
fail:
return r;
}

2
src/systemd/src/libsystemd-network/sd-dhcp-client.c
View file

@ -1688,6 +1688,8 @@ static int client_handle_message(sd_dhcp_client *client, DHCPMessage *message, i
client->timeout_resend =
sd_event_source_unref(client->timeout_resend);
client_notify(client, SD_DHCP_CLIENT_EVENT_EXPIRED);
r = client_initialize(client);
if (r < 0)
goto error;

26
src/systemd/src/libsystemd-network/sd-dhcp6-client.c
View file

@ -837,10 +837,11 @@ static int client_parse_message(
DHCP6Message *message,
size_t len,
sd_dhcp6_lease *lease) {
uint32_t lt_t1 = ~0, lt_t2 = ~0;
bool clientid = false;
size_t pos = 0;
int r;
bool clientid = false;
uint32_t lt_t1 = ~0, lt_t2 = ~0;
assert(client);
assert(message);
@ -850,20 +851,22 @@ static int client_parse_message(
len -= sizeof(DHCP6Message);
while (pos < len) {
DHCP6Option *option = (DHCP6Option *)&message->options[pos];
DHCP6Option *option = (DHCP6Option *) &message->options[pos];
uint16_t optcode, optlen;
int status;
uint8_t *optval;
be32_t iaid_lease;
uint8_t *optval;
int status;
if (len < pos + offsetof(DHCP6Option, data) ||
len < pos + offsetof(DHCP6Option, data) + be16toh(option->len))
if (len < pos + offsetof(DHCP6Option, data))
return -ENOBUFS;
optcode = be16toh(option->code);
optlen = be16toh(option->len);
optval = option->data;
if (len < pos + offsetof(DHCP6Option, data) + optlen)
return -ENOBUFS;
switch (optcode) {
case SD_DHCP6_OPTION_CLIENTID:
if (clientid) {
@ -908,13 +911,14 @@ static int client_parse_message(
break;
case SD_DHCP6_OPTION_STATUS_CODE:
status = dhcp6_option_parse_status(option, optlen);
if (status) {
status = dhcp6_option_parse_status(option, optlen + sizeof(DHCP6Option));
if (status < 0)
return status;
if (status > 0) {
log_dhcp6_client(client, "%s Status %s",
dhcp6_message_type_to_string(message->type),
dhcp6_message_status_to_string(status));
dhcp6_lease_free_ia(&lease->ia);
dhcp6_lease_free_ia(&lease->pd);
return -EINVAL;
}

11
src/systemd/src/libsystemd-network/sd-dhcp6-lease.c
View file

@ -54,15 +54,16 @@ DHCP6IA *dhcp6_lease_free_ia(DHCP6IA *ia) {
int dhcp6_lease_set_serverid(sd_dhcp6_lease *lease, const uint8_t *id,
size_t len) {
uint8_t *serverid;
assert_return(lease, -EINVAL);
assert_return(id, -EINVAL);
free(lease->serverid);
lease->serverid = memdup(id, len);
if (!lease->serverid)
return -EINVAL;
serverid = memdup(id, len);
if (!serverid)
return -ENOMEM;
free_and_replace(lease->serverid, serverid);
lease->serverid_len = len;
return 0;