Home Verkennen Help
Registreren Inloggen
OpenWrt
/
openwrt
spiegel van https://github.com/openwrt/openwrt.git
2
0
Vork 0
Bestanden Issues 0 Wiki
Boom: c4e09ccb05
Aftakkingen Labels
openwrt
/
package
/
utils
/
busybox
/
patches
/
006-upstream_CVE-2011-2716_fixes.patch

006-upstream_CVE-2011-2716_fixes.patch 6.5 KB
Geschiedenis Ruwe

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164 
  1. --- a/networking/udhcp/common.c
    2. 

  2. +++ b/networking/udhcp/common.c
    3. 

  3. @@ -29,16 +29,16 @@ const struct dhcp_optflag dhcp_optflags[
    4. 

  4.  //	{ OPTION_IP | OPTION_LIST                 , 0x07 }, /* DHCP_LOG_SERVER    */
    5. 

  5.  //	{ OPTION_IP | OPTION_LIST                 , 0x08 }, /* DHCP_COOKIE_SERVER */
    6. 

  6.  	{ OPTION_IP | OPTION_LIST                 , 0x09 }, /* DHCP_LPR_SERVER    */
    7. 

  7. -	{ OPTION_STRING               | OPTION_REQ, 0x0c }, /* DHCP_HOST_NAME     */
    8. 

  8. +	{ OPTION_STRING_HOST          | OPTION_REQ, 0x0c }, /* DHCP_HOST_NAME     */
    9. 

  9.  	{ OPTION_U16                              , 0x0d }, /* DHCP_BOOT_SIZE     */
    10. 

  10. -	{ OPTION_STRING               | OPTION_REQ, 0x0f }, /* DHCP_DOMAIN_NAME   */
    11. 

  11. +	{ OPTION_STRING_HOST          | OPTION_REQ, 0x0f }, /* DHCP_DOMAIN_NAME   */
    12. 

  12.  	{ OPTION_IP                               , 0x10 }, /* DHCP_SWAP_SERVER   */
    13. 

  13.  	{ OPTION_STRING                           , 0x11 }, /* DHCP_ROOT_PATH     */
    14. 

  14.  	{ OPTION_U8                               , 0x17 }, /* DHCP_IP_TTL        */
    15. 

  15.  	{ OPTION_U16                              , 0x1a }, /* DHCP_MTU           */
    16. 

  16.  	{ OPTION_IP                   | OPTION_REQ, 0x1c }, /* DHCP_BROADCAST     */
    17. 

  17.  	{ OPTION_IP_PAIR | OPTION_LIST            , 0x21 }, /* DHCP_ROUTES        */
    18. 

  18. -	{ OPTION_STRING                           , 0x28 }, /* DHCP_NIS_DOMAIN    */
    19. 

  19. +	{ OPTION_STRING_HOST                      , 0x28 }, /* DHCP_NIS_DOMAIN    */
    20. 

  20.  	{ OPTION_IP | OPTION_LIST                 , 0x29 }, /* DHCP_NIS_SERVER    */
    21. 

  21.  	{ OPTION_IP | OPTION_LIST     | OPTION_REQ, 0x2a }, /* DHCP_NTP_SERVER    */
    22. 

  22.  	{ OPTION_IP | OPTION_LIST                 , 0x2c }, /* DHCP_WINS_SERVER   */
    23. 

  23. @@ -46,7 +46,7 @@ const struct dhcp_optflag dhcp_optflags[
    24. 

  24.  	{ OPTION_IP                               , 0x36 }, /* DHCP_SERVER_ID     */
    25. 

  25.  	{ OPTION_STRING                           , 0x38 }, /* DHCP_ERR_MESSAGE   */
    26. 

  26.  //TODO: must be combined with 'sname' and 'file' handling:
    27. 

  27. -	{ OPTION_STRING                           , 0x42 }, /* DHCP_TFTP_SERVER_NAME */
    28. 

  28. +	{ OPTION_STRING_HOST                      , 0x42 }, /* DHCP_TFTP_SERVER_NAME */
    29. 

  29.  	{ OPTION_STRING                           , 0x43 }, /* DHCP_BOOT_FILE     */
    30. 

  30.  //TODO: not a string, but a set of LASCII strings:
    31. 

  31.  //	{ OPTION_STRING                           , 0x4D }, /* DHCP_USER_CLASS    */
    32. 

  32. @@ -143,6 +143,7 @@ const uint8_t dhcp_option_lengths[] ALIG
    33. 

  33.  	[OPTION_IP_PAIR] = 8,
    34. 

  34.  //	[OPTION_BOOLEAN] = 1,
    35. 

  35.  	[OPTION_STRING] =  1,  /* ignored by udhcp_str2optset */
    36. 

  36. +	[OPTION_STRING_HOST] = 1,  /* ignored by udhcp_str2optset */
    37. 

  37.  #if ENABLE_FEATURE_UDHCP_RFC3397
    38. 

  38.  	[OPTION_DNS_STRING] = 1,  /* ignored by both udhcp_str2optset and xmalloc_optname_optval */
    39. 

  39.  	[OPTION_SIP_SERVERS] = 1,
    40. 

  40. @@ -411,7 +412,9 @@ static NOINLINE void attach_option(
    41. 

  41.  			/* actually 255 is ok too, but adding a space can overlow it */
    42. 

  42.  
    43. 

  43.  			existing->data = xrealloc(existing->data, OPT_DATA + 1 + old_len + length);
    44. 

  44. -			if ((optflag->flags & OPTION_TYPE_MASK) == OPTION_STRING) {
    45. 

  45. +			if ((optflag->flags & OPTION_TYPE_MASK) == OPTION_STRING
    46. 

  46. +			 || (optflag->flags & OPTION_TYPE_MASK) == OPTION_STRING_HOST
    47. 

  47. +			) {
    48. 

  48.  				/* add space separator between STRING options in a list */
    49. 

  49.  				existing->data[OPT_DATA + old_len] = ' ';
    50. 

  50.  				old_len++;
    51. 

  51. @@ -475,6 +478,7 @@ int FAST_FUNC udhcp_str2optset(const cha
    52. 

  52.  				retval = udhcp_str2nip(val, buffer + 4);
    53. 

  53.  			break;
    54. 

  54.  		case OPTION_STRING:
    55. 

  55. +		case OPTION_STRING_HOST:
    56. 

  56.  #if ENABLE_FEATURE_UDHCP_RFC3397
    57. 

  57.  		case OPTION_DNS_STRING:
    58. 

  58.  #endif
    59. 

  59. --- a/networking/udhcp/common.h
    60. 

  60. +++ b/networking/udhcp/common.h
    61. 

  61. @@ -80,6 +80,9 @@ enum {
    62. 

  62.  	OPTION_IP = 1,
    63. 

  63.  	OPTION_IP_PAIR,
    64. 

  64.  	OPTION_STRING,
    65. 

  65. +	/* Opts of STRING_HOST type will be sanitized before they are passed
    66. 

  66. +	 * to udhcpc script's environment: */
    67. 

  67. +	OPTION_STRING_HOST,
    68. 

  68.  //	OPTION_BOOLEAN,
    69. 

  69.  	OPTION_U8,
    70. 

  70.  	OPTION_U16,
    71. 

  71. --- a/networking/udhcp/dhcpc.c
    72. 

  72. +++ b/networking/udhcp/dhcpc.c
    73. 

  73. @@ -101,6 +101,7 @@ static const uint8_t len_of_option_as_st
    74. 

  74.  	[OPTION_IP_PAIR         ] = sizeof("255.255.255.255 ") * 2,
    75. 

  75.  	[OPTION_STATIC_ROUTES   ] = sizeof("255.255.255.255/32 255.255.255.255 "),
    76. 

  76.  	[OPTION_STRING          ] = 1,
    77. 

  77. +	[OPTION_STRING_HOST     ] = 1,
    78. 

  78.  #if ENABLE_FEATURE_UDHCP_RFC3397
    79. 

  79.  	[OPTION_DNS_STRING      ] = 1, /* unused */
    80. 

  80.  	/* Hmmm, this severely overestimates size if SIP_SERVERS option
    81. 

  81. @@ -135,6 +136,63 @@ static int mton(uint32_t mask)
    82. 

  82.  	return i;
    83. 

  83.  }
    84. 

  84.  
    85. 

  85. +/* Check if a given label represents a valid DNS label
    86. 

  86. + * Return pointer to the first character after the label upon success,
    87. 

  87. + * NULL otherwise.
    88. 

  88. + * See RFC1035, 2.3.1
    89. 

  89. + */
    90. 

  90. +/* We don't need to be particularly anal. For example, allowing _, hyphen
    91. 

  91. + * at the end, or leading and trailing dots would be ok, since it
    92. 

  92. + * can't be used for attacks. (Leading hyphen can be, if someone uses
    93. 

  93. + * cmd "$hostname"
    94. 

  94. + * in the script: then hostname may be treated as an option)
    95. 

  95. + */
    96. 

  96. +static const char *valid_domain_label(const char *label)
    97. 

  97. +{
    98. 

  98. +	unsigned char ch;
    99. 

  99. +	unsigned pos = 0;
    100. 

  100. +
    101. 

  101. +	for (;;) {
    102. 

  102. +		ch = *label;
    103. 

  103. +		if ((ch|0x20) < 'a' || (ch|0x20) > 'z') {
    104. 

  104. +			if (pos == 0) {
    105. 

  105. +				/* label must begin with letter */
    106. 

  106. +				return NULL;
    107. 

  107. +			}
    108. 

  108. +			if (ch < '0' || ch > '9') {
    109. 

  109. +				if (ch == '\0' || ch == '.')
    110. 

  110. +					return label;
    111. 

  111. +				/* DNS allows only '-', but we are more permissive */
    112. 

  112. +				if (ch != '-' && ch != '_')
    113. 

  113. +					return NULL;
    114. 

  114. +			}
    115. 

  115. +		}
    116. 

  116. +		label++;
    117. 

  117. +		pos++;
    118. 

  118. +		//Do we want this?
    119. 

  119. +		//if (pos > 63) /* NS_MAXLABEL; labels must be 63 chars or less */
    120. 

  120. +		//	return NULL;
    121. 

  121. +	}
    122. 

  122. +}
    123. 

  123. +
    124. 

  124. +/* Check if a given name represents a valid DNS name */
    125. 

  125. +/* See RFC1035, 2.3.1 */
    126. 

  126. +static int good_hostname(const char *name)
    127. 

  127. +{
    128. 

  128. +	//const char *start = name;
    129. 

  129. +
    130. 

  130. +	for (;;) {
    131. 

  131. +		name = valid_domain_label(name);
    132. 

  132. +		if (!name)
    133. 

  133. +			return 0;
    134. 

  134. +		if (!name[0])
    135. 

  135. +			return 1;
    136. 

  136. +			//Do we want this?
    137. 

  137. +			//return ((name - start) < 1025); /* NS_MAXDNAME */
    138. 

  138. +		name++;
    139. 

  139. +	}
    140. 

  140. +}
    141. 

  141. +
    142. 

  142.  /* Create "opt_name=opt_value" string */
    143. 

  143.  static NOINLINE char *xmalloc_optname_optval(uint8_t *option, const struct dhcp_optflag *optflag, const char *opt_name)
    144. 

  144.  {
    145. 

  145. @@ -185,8 +243,11 @@ static NOINLINE char *xmalloc_optname_op
    146. 

  146.  			break;
    147. 

  147.  		}
    148. 

  148.  		case OPTION_STRING:
    149. 

  149. +		case OPTION_STRING_HOST:
    150. 

  150.  			memcpy(dest, option, len);
    151. 

  151.  			dest[len] = '\0';
    152. 

  152. +			if (type == OPTION_STRING_HOST && !good_hostname(dest))
    153. 

  153. +				safe_strncpy(dest, "bad", len);
    154. 

  154.  			return ret;	 /* Short circuit this case */
    155. 

  155.  		case OPTION_STATIC_ROUTES: {
    156. 

  156.  			/* Option binary format:
    157. 

  157. @@ -314,6 +375,7 @@ static char **fill_envp(struct dhcp_pack
    158. 

  158.  	/* +1 element for each option, +2 for subnet option: */
    159. 

  159.  	if (packet) {
    160. 

  160.  		/* note: do not search for "pad" (0) and "end" (255) options */
    161. 

  161. +//TODO: change logic to scan packet _once_
    162. 

  162.  		for (i = 1; i < 255; i++) {
    163. 

  163.  			temp = udhcp_get_option(packet, i);
    164. 

  164.  			if (temp) {
    165.