[PATCH] gdhcp: Verify and sanitize packet length first

ConnMan network manager
 help / color / mirror / Atom feed

From: Daniel Wagner <wagi@monom.org>
To: connman@lists.linux.dev
Cc: Polina Smirnova <moe.hwr@gmail.com>, Daniel Wagner <wagi@monom.org>
Subject: [PATCH] gdhcp: Verify and sanitize packet length first
Date: Tue, 11 Apr 2023 08:19:45 +0200	[thread overview]
Message-ID: <20230411061945.8089-1-wagi@monom.org> (raw)

Avoid overwriting the read packet length after the initial test. Thus
move all the length checks which depends on the total length first
and do not use the total lenght from the IP packet afterwards.

Fixes CVE-2023-28488

Reported by Polina Smirnova <moe.hwr@gmail.com>
---

Patch already applied.

 gdhcp/client.c | 16 +++++++++-------
 1 file changed, 9 insertions(+), 7 deletions(-)

diff --git a/gdhcp/client.c b/gdhcp/client.c
index 7efa7e45aa4d..8201769261d7 100644
--- a/gdhcp/client.c
+++ b/gdhcp/client.c
@@ -1319,9 +1319,9 @@ static bool sanity_check(struct ip_udp_dhcp_packet *packet, int bytes)
 static int dhcp_recv_l2_packet(struct dhcp_packet *dhcp_pkt, int fd,
 				struct sockaddr_in *dst_addr)
 {
-	int bytes;
 	struct ip_udp_dhcp_packet packet;
 	uint16_t check;
+	int bytes, tot_len;
 
 	memset(&packet, 0, sizeof(packet));
 
@@ -1329,15 +1329,17 @@ static int dhcp_recv_l2_packet(struct dhcp_packet *dhcp_pkt, int fd,
 	if (bytes < 0)
 		return -1;
 
-	if (bytes < (int) (sizeof(packet.ip) + sizeof(packet.udp)))
-		return -1;
-
-	if (bytes < ntohs(packet.ip.tot_len))
+	tot_len = ntohs(packet.ip.tot_len);
+	if (bytes > tot_len) {
+		/* ignore any extra garbage bytes */
+		bytes = tot_len;
+	} else if (bytes < tot_len) {
 		/* packet is bigger than sizeof(packet), we did partial read */
 		return -1;
+	}
 
-	/* ignore any extra garbage bytes */
-	bytes = ntohs(packet.ip.tot_len);
+	if (bytes < (int) (sizeof(packet.ip) + sizeof(packet.udp)))
+		return -1;
 
 	if (!sanity_check(&packet, bytes))
 		return -1;
-- 
2.40.0

next             reply	other threads:[~2023-04-11  6:29 UTC|newest]

Thread overview: 2+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2023-04-11  6:19 Daniel Wagner [this message]
2023-04-11  7:40 ` [PATCH] gdhcp: Verify and sanitize packet length first Daniel Wagner

find likely ancestor, descendant, or conflicting patches for this message:
dfblob:7efa7e45aa4 dfblob:8201769261d
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20230411061945.8089-1-wagi@monom.org \
    --to=wagi@monom.org \
    --cc=connman@lists.linux.dev \
    --cc=moe.hwr@gmail.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).