busybox: Security Fix CVE-2016-2148
busybox <= 1.24.2 (From OE-Core rev: ff1a31824a2a43e63682a176a904de43ad0e1c2e) Signed-off-by: Armin Kuster <akuster@mvista.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
This commit is contained in:
parent
3c6ead9129
commit
2928ca48e9
|
@ -0,0 +1,74 @@
|
|||
From 352f79acbd759c14399e39baef21fc4ffe180ac2 Mon Sep 17 00:00:00 2001
|
||||
From: Denys Vlasenko <vda.linux@googlemail.com>
|
||||
Date: Fri, 26 Feb 2016 15:54:56 +0100
|
||||
Subject: [PATCH] udhcpc: fix OPTION_6RD parsing (could overflow its malloced
|
||||
buffer)
|
||||
|
||||
Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
|
||||
|
||||
Upstream-Status: Backport
|
||||
CVE: CVE-2016-2148
|
||||
https://git.busybox.net/busybox/commit/?id=352f79
|
||||
|
||||
Signed-off-by: Armin Kuster <akuster@mvista.com>
|
||||
|
||||
---
|
||||
networking/udhcp/common.c | 15 +++++++++++++--
|
||||
networking/udhcp/dhcpc.c | 4 ++--
|
||||
2 files changed, 15 insertions(+), 4 deletions(-)
|
||||
|
||||
Index: busybox-1.23.2/networking/udhcp/common.c
|
||||
===================================================================
|
||||
--- busybox-1.23.2.orig/networking/udhcp/common.c
|
||||
+++ busybox-1.23.2/networking/udhcp/common.c
|
||||
@@ -142,7 +142,7 @@ const char dhcp_option_strings[] ALIGN1
|
||||
* udhcp_str2optset: to determine how many bytes to allocate.
|
||||
* xmalloc_optname_optval: to estimate string length
|
||||
* from binary option length: (option[LEN] / dhcp_option_lengths[opt_type])
|
||||
- * is the number of elements, multiply in by one element's string width
|
||||
+ * is the number of elements, multiply it by one element's string width
|
||||
* (len_of_option_as_string[opt_type]) and you know how wide string you need.
|
||||
*/
|
||||
const uint8_t dhcp_option_lengths[] ALIGN1 = {
|
||||
@@ -162,7 +162,18 @@ const uint8_t dhcp_option_lengths[] ALIG
|
||||
[OPTION_S32] = 4,
|
||||
/* Just like OPTION_STRING, we use minimum length here */
|
||||
[OPTION_STATIC_ROUTES] = 5,
|
||||
- [OPTION_6RD] = 22, /* ignored by udhcp_str2optset */
|
||||
+ [OPTION_6RD] = 12, /* ignored by udhcp_str2optset */
|
||||
+ /* The above value was chosen as follows:
|
||||
+ * len_of_option_as_string[] for this option is >60: it's a string of the form
|
||||
+ * "32 128 ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff 255.255.255.255 ".
|
||||
+ * Each additional ipv4 address takes 4 bytes in binary option and appends
|
||||
+ * another "255.255.255.255 " 16-byte string. We can set [OPTION_6RD] = 4
|
||||
+ * but this severely overestimates string length: instead of 16 bytes,
|
||||
+ * it adds >60 for every 4 bytes in binary option.
|
||||
+ * We cheat and declare here that option is in units of 12 bytes.
|
||||
+ * This adds more than 60 bytes for every three ipv4 addresses - more than enough.
|
||||
+ * (Even 16 instead of 12 should work, but let's be paranoid).
|
||||
+ */
|
||||
};
|
||||
|
||||
|
||||
Index: busybox-1.23.2/networking/udhcp/dhcpc.c
|
||||
===================================================================
|
||||
--- busybox-1.23.2.orig/networking/udhcp/dhcpc.c
|
||||
+++ busybox-1.23.2/networking/udhcp/dhcpc.c
|
||||
@@ -103,7 +103,7 @@ static const uint8_t len_of_option_as_st
|
||||
[OPTION_IP ] = sizeof("255.255.255.255 "),
|
||||
[OPTION_IP_PAIR ] = sizeof("255.255.255.255 ") * 2,
|
||||
[OPTION_STATIC_ROUTES ] = sizeof("255.255.255.255/32 255.255.255.255 "),
|
||||
- [OPTION_6RD ] = sizeof("32 128 ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff 255.255.255.255 "),
|
||||
+ [OPTION_6RD ] = sizeof("132 128 ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff 255.255.255.255 "),
|
||||
[OPTION_STRING ] = 1,
|
||||
[OPTION_STRING_HOST ] = 1,
|
||||
#if ENABLE_FEATURE_UDHCP_RFC3397
|
||||
@@ -214,7 +214,7 @@ static NOINLINE char *xmalloc_optname_op
|
||||
type = optflag->flags & OPTION_TYPE_MASK;
|
||||
optlen = dhcp_option_lengths[type];
|
||||
upper_length = len_of_option_as_string[type]
|
||||
- * ((unsigned)(len + optlen - 1) / (unsigned)optlen);
|
||||
+ * ((unsigned)(len + optlen) / (unsigned)optlen);
|
||||
|
||||
dest = ret = xmalloc(upper_length + strlen(opt_name) + 2);
|
||||
dest += sprintf(ret, "%s=", opt_name);
|
|
@ -44,6 +44,7 @@ SRC_URI = "http://www.busybox.net/downloads/busybox-${PV}.tar.bz2;name=tarball \
|
|||
file://rcS \
|
||||
file://rcK \
|
||||
file://runlevel \
|
||||
file://CVE-2016-2148.patch \
|
||||
"
|
||||
SRC_URI_append_libc-musl = " file://musl.cfg "
|
||||
|
||||
|
|
Loading…
Reference in New Issue