Viewing all changes in revision 17715.
- Committer: Denys Vlasenko
- Date: 2023-10-04 14:46:35 UTC
- Revision ID: git-v1:e265c8d4c039729f2a68f3b1fb589c13c38d86f8
udhcp: Avoid leaking uninitialized/stale data
I noticed a commit in connman:
"gdhcp: Avoid leaking stack data via unitiialized variable" [1]
Since gdhcp is just BusyBox udhcp with the serial numbers filed off, I
checked if BusyBox udhcp has a related issue.
The issue is that the get_option logic assumes any data within the
memory area of the buffer is "valid". This reduces the complexity of the
function at the cost of reading past the end of the actually received
data in the case of specially crafted packets. This is not a problem
for the udhcp_recv_kernel_packet data path as the entire memory
area is zeroed. However, d4/d6_recv_raw_packet does not zero the
memory.
Note that a related commit [2] is not required as we are zeroing
any data that can be read by the get_option function.
[1] https://git.kernel.org/pub/scm/network/connman/connman.git/commit/?id=a74524b3e3fad81b0fd1084ffdf9f2ea469cd9b1
[2] https://git.kernel.org/pub/scm/network/connman/connman.git/commit/?id=58d397ba74873384aee449690a9070bacd5676fa
function old new delta
d4_recv_raw_packet 484 497 +13
d6_recv_raw_packet 216 228 +12
.rodata 105390 105381 -9
------------------------------------------------------------------------------
(add/remove: 0/0 grow/shrink: 2/1 up/down: 25/-9) Total: 16 bytes
Signed-off-by: Russ Dill <russ.dill@gmail.com>
Cc: Colin Wee <cwee@tesla.com>
Cc: Denys Vlasenko <vda.linux@googlemail.com>
Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
I noticed a commit in connman:
"gdhcp: Avoid leaking stack data via unitiialized variable" [1]
Since gdhcp is just BusyBox udhcp with the serial numbers filed off, I
checked if BusyBox udhcp has a related issue.
The issue is that the get_option logic assumes any data within the
memory area of the buffer is "valid". This reduces the complexity of the
function at the cost of reading past the end of the actually received
data in the case of specially crafted packets. This is not a problem
for the udhcp_recv_kernel_packet data path as the entire memory
area is zeroed. However, d4/d6_recv_raw_packet does not zero the
memory.
Note that a related commit [2] is not required as we are zeroing
any data that can be read by the get_option function.
[1] https://git.kernel.org/pub/scm/network/connman/connman.git/commit/?id=a74524b3e3fad81b0fd1084ffdf9f2ea469cd9b1
[2] https://git.kernel.org/pub/scm/network/connman/connman.git/commit/?id=58d397ba74873384aee449690a9070bacd5676fa
function old new delta
d4_recv_raw_packet 484 497 +13
d6_recv_raw_packet 216 228 +12
.rodata 105390 105381 -9
------------------------------------------------------------------------------
(add/remove: 0/0 grow/shrink: 2/1 up/down: 25/-9) Total: 16 bytes
Signed-off-by: Russ Dill <russ.dill@gmail.com>
Cc: Colin Wee <cwee@tesla.com>
Cc: Denys Vlasenko <vda.linux@googlemail.com>
Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
- files modified:
- networking/udhcp/d6_dhcpc.c
expand all
collapse all
added
removed
