From: Daniel Wagner <wagi@monom.org>
To: connman@lists.linux.dev
Cc: Polina Smirnova <moe.hwr@gmail.com>, Daniel Wagner <wagi@monom.org>
Subject: [PATCH] gdhcp: Verify and sanitize packet length first
Date: Tue, 11 Apr 2023 08:19:45 +0200 [thread overview]
Message-ID: <20230411061945.8089-1-wagi@monom.org> (raw)
Avoid overwriting the read packet length after the initial test. Thus
move all the length checks which depends on the total length first
and do not use the total lenght from the IP packet afterwards.
Fixes CVE-2023-28488
Reported by Polina Smirnova <moe.hwr@gmail.com>
---
Patch already applied.
gdhcp/client.c | 16 +++++++++-------
1 file changed, 9 insertions(+), 7 deletions(-)
diff --git a/gdhcp/client.c b/gdhcp/client.c
index 7efa7e45aa4d..8201769261d7 100644
--- a/gdhcp/client.c
+++ b/gdhcp/client.c
@@ -1319,9 +1319,9 @@ static bool sanity_check(struct ip_udp_dhcp_packet *packet, int bytes)
static int dhcp_recv_l2_packet(struct dhcp_packet *dhcp_pkt, int fd,
struct sockaddr_in *dst_addr)
{
- int bytes;
struct ip_udp_dhcp_packet packet;
uint16_t check;
+ int bytes, tot_len;
memset(&packet, 0, sizeof(packet));
@@ -1329,15 +1329,17 @@ static int dhcp_recv_l2_packet(struct dhcp_packet *dhcp_pkt, int fd,
if (bytes < 0)
return -1;
- if (bytes < (int) (sizeof(packet.ip) + sizeof(packet.udp)))
- return -1;
-
- if (bytes < ntohs(packet.ip.tot_len))
+ tot_len = ntohs(packet.ip.tot_len);
+ if (bytes > tot_len) {
+ /* ignore any extra garbage bytes */
+ bytes = tot_len;
+ } else if (bytes < tot_len) {
/* packet is bigger than sizeof(packet), we did partial read */
return -1;
+ }
- /* ignore any extra garbage bytes */
- bytes = ntohs(packet.ip.tot_len);
+ if (bytes < (int) (sizeof(packet.ip) + sizeof(packet.udp)))
+ return -1;
if (!sanity_check(&packet, bytes))
return -1;
--
2.40.0
next reply other threads:[~2023-04-11 6:29 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-04-11 6:19 Daniel Wagner [this message]
2023-04-11 7:40 ` [PATCH] gdhcp: Verify and sanitize packet length first Daniel Wagner
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20230411061945.8089-1-wagi@monom.org \
--to=wagi@monom.org \
--cc=connman@lists.linux.dev \
--cc=moe.hwr@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).