Date: Wed, 19 Dec 2018 18:16:30 +0000 (UTC) From: Ed Maste <emaste@FreeBSD.org> To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org Subject: svn commit: r342227 - head/libexec/bootpd Message-ID: <201812191816.wBJIGUU0005155@repo.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: emaste Date: Wed Dec 19 18:16:29 2018 New Revision: 342227 URL: https://svnweb.freebsd.org/changeset/base/342227 Log: bootpd: validate hardware type Due to insufficient validation of network-provided data it may have been possible for a malicious actor to craft a bootp packet which could cause a stack buffer overflow. admbugs: 850 Reported by: Reno Robert Reviewed by: markj Approved by: so Security: FreeBSD-SA-18:15.bootpd Sponsored by: The FreeBSD Foundation Modified: head/libexec/bootpd/bootpd.c Modified: head/libexec/bootpd/bootpd.c ============================================================================== --- head/libexec/bootpd/bootpd.c Wed Dec 19 18:05:50 2018 (r342226) +++ head/libexec/bootpd/bootpd.c Wed Dec 19 18:16:29 2018 (r342227) @@ -636,6 +636,10 @@ handle_request() char *homedir, *bootfile; int n; + if (bp->bp_htype >= hwinfocnt) { + report(LOG_NOTICE, "bad hw addr type %u", bp->bp_htype); + return; + } bp->bp_file[sizeof(bp->bp_file)-1] = '\0'; /* XXX - SLIP init: Set bp_ciaddr = recv_addr here? */
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201812191816.wBJIGUU0005155>