Date: Wed, 19 Dec 2018 18:19:15 +0000 (UTC) From: Ed Maste <emaste@FreeBSD.org> To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-stable@freebsd.org, svn-src-stable-11@freebsd.org Subject: svn commit: r342229 - stable/11/libexec/bootpd Message-ID: <201812191819.wBJIJFWv005400@repo.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: emaste Date: Wed Dec 19 18:19:15 2018 New Revision: 342229 URL: https://svnweb.freebsd.org/changeset/base/342229 Log: MFC r342227: bootpd: validate hardware type Due to insufficient validation of network-provided data it may have been possible for a malicious actor to craft a bootp packet which could cause a stack buffer overflow. admbugs: 850 Reported by: Reno Robert Reviewed by: markj Approved by: so Security: FreeBSD-SA-18:15.bootpd Sponsored by: The FreeBSD Foundation Modified: stable/11/libexec/bootpd/bootpd.c Directory Properties: stable/11/ (props changed) Modified: stable/11/libexec/bootpd/bootpd.c ============================================================================== --- stable/11/libexec/bootpd/bootpd.c Wed Dec 19 18:17:59 2018 (r342228) +++ stable/11/libexec/bootpd/bootpd.c Wed Dec 19 18:19:15 2018 (r342229) @@ -636,6 +636,10 @@ handle_request() char *homedir, *bootfile; int n; + if (bp->bp_htype >= hwinfocnt) { + report(LOG_NOTICE, "bad hw addr type %u", bp->bp_htype); + return; + } bp->bp_file[sizeof(bp->bp_file)-1] = '\0'; /* XXX - SLIP init: Set bp_ciaddr = recv_addr here? */
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201812191819.wBJIJFWv005400>