Skip site navigation (1)Skip section navigation (2)
Date:      Wed, 19 Dec 2018 18:19:15 +0000 (UTC)
From:      Ed Maste <emaste@FreeBSD.org>
To:        src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-stable@freebsd.org, svn-src-stable-11@freebsd.org
Subject:   svn commit: r342229 - stable/11/libexec/bootpd
Message-ID:  <201812191819.wBJIJFWv005400@repo.freebsd.org>

next in thread | raw e-mail | index | archive | help
Author: emaste
Date: Wed Dec 19 18:19:15 2018
New Revision: 342229
URL: https://svnweb.freebsd.org/changeset/base/342229

Log:
  MFC r342227: bootpd: validate hardware type
  
  Due to insufficient validation of network-provided data it may have been
  possible for a malicious actor to craft a bootp packet which could cause
  a stack buffer overflow.
  
  admbugs:	850
  Reported by:	Reno Robert
  Reviewed by:	markj
  Approved by:	so
  Security:	FreeBSD-SA-18:15.bootpd
  Sponsored by:	The FreeBSD Foundation

Modified:
  stable/11/libexec/bootpd/bootpd.c
Directory Properties:
  stable/11/   (props changed)

Modified: stable/11/libexec/bootpd/bootpd.c
==============================================================================
--- stable/11/libexec/bootpd/bootpd.c	Wed Dec 19 18:17:59 2018	(r342228)
+++ stable/11/libexec/bootpd/bootpd.c	Wed Dec 19 18:19:15 2018	(r342229)
@@ -636,6 +636,10 @@ handle_request()
 	char *homedir, *bootfile;
 	int n;
 
+	if (bp->bp_htype >= hwinfocnt) {
+		report(LOG_NOTICE, "bad hw addr type %u", bp->bp_htype);
+		return;
+	}
 	bp->bp_file[sizeof(bp->bp_file)-1] = '\0';
 
 	/* XXX - SLIP init: Set bp_ciaddr = recv_addr here? */



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201812191819.wBJIJFWv005400>