Date: Wed, 19 Dec 2018 18:17:59 +0000 (UTC) From: Ed Maste <emaste@FreeBSD.org> To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-stable@freebsd.org, svn-src-stable-12@freebsd.org Subject: svn commit: r342228 - stable/12/libexec/bootpd Message-ID: <201812191817.wBJIHxYE005279@repo.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: emaste Date: Wed Dec 19 18:17:59 2018 New Revision: 342228 URL: https://svnweb.freebsd.org/changeset/base/342228 Log: MFC r342227: bootpd: validate hardware type Due to insufficient validation of network-provided data it may have been possible for a malicious actor to craft a bootp packet which could cause a stack buffer overflow. admbugs: 850 Reported by: Reno Robert Reviewed by: markj Approved by: so Security: FreeBSD-SA-18:15.bootpd Sponsored by: The FreeBSD Foundation Modified: stable/12/libexec/bootpd/bootpd.c Directory Properties: stable/12/ (props changed) Modified: stable/12/libexec/bootpd/bootpd.c ============================================================================== --- stable/12/libexec/bootpd/bootpd.c Wed Dec 19 18:16:29 2018 (r342227) +++ stable/12/libexec/bootpd/bootpd.c Wed Dec 19 18:17:59 2018 (r342228) @@ -636,6 +636,10 @@ handle_request() char *homedir, *bootfile; int n; + if (bp->bp_htype >= hwinfocnt) { + report(LOG_NOTICE, "bad hw addr type %u", bp->bp_htype); + return; + } bp->bp_file[sizeof(bp->bp_file)-1] = '\0'; /* XXX - SLIP init: Set bp_ciaddr = recv_addr here? */
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201812191817.wBJIHxYE005279>