From: git@ipfire.org
To: ipfire-scm@lists.ipfire.org
Subject: [git.ipfire.org] IPFire 2.x development tree branch, next, updated. c3afb9c65d4e9108db64cf8f3fc2e234e846380e
Date: Tue, 02 Aug 2016 16:12:01 +0100 [thread overview]
Message-ID: <20160802151202.5956C1081BA6@git01.ipfire.org> (raw)
[-- Attachment #1: Type: text/plain, Size: 23650 bytes --]
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "IPFire 2.x development tree".
The branch, next has been updated
via c3afb9c65d4e9108db64cf8f3fc2e234e846380e (commit)
via 3a4a8b055b56e22d9176486ce77abb1e26a0647e (commit)
via 4b8f1ffb319303c1f70bcaa987803ddb328a6e94 (commit)
from 80a474183e6c730da89e96a3d7719534c252a06b (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
- Log -----------------------------------------------------------------
commit c3afb9c65d4e9108db64cf8f3fc2e234e846380e
Author: Matthias Fischer <matthias.fischer(a)ipfire.org>
Date: Sat Jul 23 23:03:14 2016 +0200
dnsmasq 2.76: latest patches from upstream (010-012)
Signed-off-by: Matthias Fischer <matthias.fischer(a)ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>
commit 3a4a8b055b56e22d9176486ce77abb1e26a0647e
Author: Jonatan Schlag <jonatan.schlag(a)ipfire.org>
Date: Tue Aug 2 14:01:05 2016 +0200
Libvirt: Add backup
The directory /etc/libvirt is backed up on uninstallation and is
restored on installation.
Alle Files in /var are commented in the rootfile so they are not
removed on uninstallation.
Because of the fact that the directories are not shipped with the
package they were created at installation time.
The permissions of 3 directories are changed because the qemu user is
nobody and the qemu group is kvm, so the permissions must be nobody:kvm
Fixes: #11151
Signed-off-by: Jonatan Schlag <jonatan.schlag(a)ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>
commit 4b8f1ffb319303c1f70bcaa987803ddb328a6e94
Author: Michael Tremer <michael.tremer(a)ipfire.org>
Date: Tue Aug 2 16:06:35 2016 +0100
openssh: Update to 7.3p1
Includes various security fixes:
* sshd(8): Mitigate a potential denial-of-service attack against
the system's crypt(3) function via sshd(8). An attacker could
send very long passwords that would cause excessive CPU use in
crypt(3). sshd(8) now refuses to accept password authentication
requests of length greater than 1024 characters. Independently
reported by Tomas Kuthan (Oracle), Andres Rojas and Javier Nieto.
* sshd(8): Mitigate timing differences in password authentication
that could be used to discern valid from invalid account names
when long passwords were sent and particular password hashing
algorithms are in use on the server. CVE-2016-6210, reported by
EddieEzra.Harari at verint.com
* ssh(1), sshd(8): Fix observable timing weakness in the CBC padding
oracle countermeasures. Reported by Jean Paul Degabriele, Kenny
Paterson, Torben Hansen and Martin Albrecht. Note that CBC ciphers
are disabled by default and only included for legacy compatibility.
* ssh(1), sshd(8): Improve operation ordering of MAC verification for
Encrypt-then-MAC (EtM) mode transport MAC algorithms to verify the
MAC before decrypting any ciphertext. This removes the possibility
of timing differences leaking facts about the plaintext, though no
such leakage has been observed. Reported by Jean Paul Degabriele,
Kenny Paterson, Torben Hansen and Martin Albrecht.
* sshd(8): (portable only) Ignore PAM environment vars when
UseLogin=yes. If PAM is configured to read user-specified
environment variables and UseLogin=yes in sshd_config, then a
hostile local user may attack /bin/login via LD_PRELOAD or
similar environment variables set via PAM. CVE-2015-8325,
found by Shayan Sadigh.
Fixes: #11160
Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>
-----------------------------------------------------------------------
Summary of changes:
config/backup/includes/libvirt | 1 +
config/rootfiles/packages/libvirt | 15 +-
lfs/dnsmasq | 3 +
lfs/libvirt | 4 +-
lfs/openssh | 4 +-
src/paks/libvirt/install.sh | 16 ++
src/paks/libvirt/uninstall.sh | 4 +
...q-Add-support-to-read-ISC-DHCP-lease-file.patch | 6 +-
...put_to_reduce_risk_of_information_leakage.patch | 169 +++++++++++++++++++++
...on_transmission_in_case_of_retransmission.patch | 54 +++++++
...n_buffer_sizes_for_leasefile_parsing_code.patch | 103 +++++++++++++
11 files changed, 366 insertions(+), 13 deletions(-)
create mode 100644 config/backup/includes/libvirt
create mode 100644 src/patches/dnsmasq/010-Zero_packet_buffers_before_building_output_to_reduce_risk_of_information_leakage.patch
create mode 100644 src/patches/dnsmasq/011-Dont_reset_packet_length_on_transmission_in_case_of_retransmission.patch
create mode 100644 src/patches/dnsmasq/012-Compile-time_check_on_buffer_sizes_for_leasefile_parsing_code.patch
Difference in files:
diff --git a/config/backup/includes/libvirt b/config/backup/includes/libvirt
new file mode 100644
index 0000000..2306999
--- /dev/null
+++ b/config/backup/includes/libvirt
@@ -0,0 +1 @@
+/etc/libvirt
diff --git a/config/rootfiles/packages/libvirt b/config/rootfiles/packages/libvirt
index aa20aaa..b193987 100644
--- a/config/rootfiles/packages/libvirt
+++ b/config/rootfiles/packages/libvirt
@@ -271,17 +271,18 @@ usr/share/libvirt/schemas/storagevol.rng
#usr/share/man/man8/libvirtd.8
#usr/share/man/man8/virtlockd.8
#var/cache/libvirt
-var/cache/libvirt/qemu
+#var/cache/libvirt/qemu
#var/lib/libvirt
-var/lib/libvirt/boot
-var/lib/libvirt/filesystems
-var/lib/libvirt/images
+#var/lib/libvirt/boot
+#var/lib/libvirt/filesystems
+#var/lib/libvirt/images
#var/lib/libvirt/lockd
-var/lib/libvirt/lockd/files
-var/lib/libvirt/qemu
+#var/lib/libvirt/lockd/files
+#var/lib/libvirt/qemu
#var/log/libvirt
#var/log/libvirt/lxc
-var/log/libvirt/qemu
+#var/log/libvirt/qemu
#var/log/libvirt/uml
etc/rc.d/init.d/libvirt-guests
etc/rc.d/init.d/libvirtd
+var/ipfire/backup/addons/includes/libvirt
diff --git a/lfs/dnsmasq b/lfs/dnsmasq
index a0fdc50..eb0f0ba 100644
--- a/lfs/dnsmasq
+++ b/lfs/dnsmasq
@@ -82,6 +82,9 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/dnsmasq/007-Fix_logic_error_in_Linux_netlink_code.patch
cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/dnsmasq/008-Fix_problem_with_--dnssec-timestamp.patch
cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/dnsmasq/009-malloc_memset_calloc_for_efficiency.patch
+ cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/dnsmasq/010-Zero_packet_buffers_before_building_output_to_reduce_risk_of_information_leakage.patch
+ cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/dnsmasq/011-Dont_reset_packet_length_on_transmission_in_case_of_retransmission.patch
+ cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/dnsmasq/012-Compile-time_check_on_buffer_sizes_for_leasefile_parsing_code.patch
cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/dnsmasq-Add-support-to-read-ISC-DHCP-lease-file.patch
cd $(DIR_APP) && sed -i src/config.h \
diff --git a/lfs/libvirt b/lfs/libvirt
index 6768a72..c551bc2 100644
--- a/lfs/libvirt
+++ b/lfs/libvirt
@@ -33,7 +33,7 @@ DIR_APP = $(DIR_SRC)/$(THISAPP)
TARGET = $(DIR_INFO)/$(THISAPP)
SUP_ARCH = i586 x86_64
PROG = libvirt
-PAK_VER = 4
+PAK_VER = 5
DEPS = "libpciaccess libyajl ncat qemu"
@@ -91,5 +91,7 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
cd $(DIR_APP) && make install
install -v -m 754 $(DIR_SRC)/src/initscripts/init.d/libvirtd /etc/rc.d/init.d/libvirtd
mv /usr/libexec/libvirt-guests.sh /etc/rc.d/init.d/libvirt-guests
+ # Backup
+ install -v -m 644 $(DIR_SRC)/config/backup/includes/libvirt /var/ipfire/backup/addons/includes/libvirt
@rm -rf $(DIR_APP)
@$(POSTBUILD)
diff --git a/lfs/openssh b/lfs/openssh
index c4dff4d..371d0df 100644
--- a/lfs/openssh
+++ b/lfs/openssh
@@ -24,7 +24,7 @@
include Config
-VER = 7.2p2
+VER = 7.3p1
THISAPP = openssh-$(VER)
DL_FILE = $(THISAPP).tar.gz
@@ -40,7 +40,7 @@ objects = $(DL_FILE)
$(DL_FILE) = $(DL_FROM)/$(DL_FILE)
-$(DL_FILE)_MD5 = 13009a9156510d8f27e752659075cced
+$(DL_FILE)_MD5 = dfadd9f035d38ce5d58a3bf130b86d08
install : $(TARGET)
diff --git a/src/paks/libvirt/install.sh b/src/paks/libvirt/install.sh
index c97a18d..1034b6b 100644
--- a/src/paks/libvirt/install.sh
+++ b/src/paks/libvirt/install.sh
@@ -29,6 +29,22 @@ getent passwd libvirt-remote >/dev/null || \
useradd -m -g libvirt-remote -s /bin/bash "libvirt-remote"
extract_files
+
+# create diretorys in var
+mkdir -p /var/cache/libvirt/qemu \
+/var/lib/libvirt/boot \
+/var/lib/libvirt/filesystems \
+/var/lib/libvirt/images \
+/var/lib/libvirt/lockd/files \
+/var/lib/libvirt/qemu \
+/var/log/libvirt/qemu
+# set the permissions
+chown -R nobody:kvm /var/cache/libvirt/qemu
+chown -R nobody:kvm /var/lib/libvirt/qemu
+chown -R nobody:kvm /var/lib/libvirt/images
+# restore the backup
+restore_backup ${NAME}
+
start_service --delay 300 --background libvirtd
ln -svf /etc/init.d/libvirtd /etc/rc.d/rc0.d/K20libvirtd
ln -svf /etc/init.d/libvirtd /etc/rc.d/rc3.d/S70libvirtd
diff --git a/src/paks/libvirt/uninstall.sh b/src/paks/libvirt/uninstall.sh
index 16dc724..23c86e5 100644
--- a/src/paks/libvirt/uninstall.sh
+++ b/src/paks/libvirt/uninstall.sh
@@ -23,6 +23,10 @@
#
. /opt/pakfire/lib/functions.sh
stop_service libvirtd
+
+extract_backup_includes
+make_backup ${NAME}
+
remove_files
rm -f /etc/rc.d/rc*.d/*libvirt-guests
diff --git a/src/patches/dnsmasq-Add-support-to-read-ISC-DHCP-lease-file.patch b/src/patches/dnsmasq-Add-support-to-read-ISC-DHCP-lease-file.patch
index 25feb8d..97b7749 100644
--- a/src/patches/dnsmasq-Add-support-to-read-ISC-DHCP-lease-file.patch
+++ b/src/patches/dnsmasq-Add-support-to-read-ISC-DHCP-lease-file.patch
@@ -42,7 +42,7 @@
--- a/src/dnsmasq.c Thu Jul 30 20:59:06 2015
+++ b/src/dnsmasq.c Wed Dec 16 19:38:32 2015
-@@ -1016,6 +1016,11 @@
+@@ -1017,6 +1017,11 @@
poll_resolv(0, daemon->last_resolv != 0, now);
daemon->last_resolv = now;
@@ -56,7 +56,7 @@
--- a/src/dnsmasq.h Wed Dec 16 19:24:12 2015
+++ b/src/dnsmasq.h Wed Dec 16 19:40:11 2015
-@@ -1514,6 +1514,11 @@
+@@ -1516,6 +1516,11 @@
void poll_listen(int fd, short event);
int do_poll(int timeout);
@@ -341,7 +341,7 @@
+#endif
--- a/src/option.c Wed Dec 16 19:24:12 2015
+++ b/src/option.c Wed Dec 16 19:42:48 2015
-@@ -1770,7 +1770,7 @@
+@@ -1771,7 +1771,7 @@
ret_err(_("bad MX target"));
break;
diff --git a/src/patches/dnsmasq/010-Zero_packet_buffers_before_building_output_to_reduce_risk_of_information_leakage.patch b/src/patches/dnsmasq/010-Zero_packet_buffers_before_building_output_to_reduce_risk_of_information_leakage.patch
new file mode 100644
index 0000000..a8c10a4
--- /dev/null
+++ b/src/patches/dnsmasq/010-Zero_packet_buffers_before_building_output_to_reduce_risk_of_information_leakage.patch
@@ -0,0 +1,169 @@
+From fa78573778cb23337f67f5d0c9de723169919047 Mon Sep 17 00:00:00 2001
+From: Simon Kelley <simon(a)thekelleys.org.uk>
+Date: Fri, 22 Jul 2016 20:56:01 +0100
+Subject: [PATCH] Zero packet buffers before building output, to reduce risk
+ of information leakage.
+
+---
+ src/auth.c | 5 +++++
+ src/dnsmasq.h | 1 +
+ src/outpacket.c | 10 ++++++++++
+ src/radv.c | 2 +-
+ src/rfc1035.c | 5 +++++
+ src/rfc3315.c | 6 +++---
+ src/slaac.c | 2 +-
+ src/tftp.c | 5 ++++-
+ 8 files changed, 30 insertions(+), 6 deletions(-)
+
+diff --git a/src/auth.c b/src/auth.c
+index 198572d..3c5c37f 100644
+--- a/src/auth.c
++++ b/src/auth.c
+@@ -101,6 +101,11 @@ size_t answer_auth(struct dns_header *header, char *limit, size_t qlen, time_t n
+ struct all_addr addr;
+ struct cname *a;
+
++ /* Clear buffer beyond request to avoid risk of
++ information disclosure. */
++ memset(((char *)header) + qlen, 0,
++ (limit - ((char *)header)) - qlen);
++
+ if (ntohs(header->qdcount) == 0 || OPCODE(header) != QUERY )
+ return 0;
+
+diff --git a/src/dnsmasq.h b/src/dnsmasq.h
+index be27ae0..2bda5d0 100644
+--- a/src/dnsmasq.h
++++ b/src/dnsmasq.h
+@@ -1471,6 +1471,7 @@ void log_relay(int family, struct dhcp_relay *relay);
+ /* outpacket.c */
+ #ifdef HAVE_DHCP6
+ void end_opt6(int container);
++void reset_counter(void);
+ int save_counter(int newval);
+ void *expand(size_t headroom);
+ int new_opt6(int opt);
+diff --git a/src/outpacket.c b/src/outpacket.c
+index a414efa..2caacd9 100644
+--- a/src/outpacket.c
++++ b/src/outpacket.c
+@@ -29,9 +29,19 @@ void end_opt6(int container)
+ PUTSHORT(len, p);
+ }
+
++void reset_counter(void)
++{
++ /* Clear out buffer when starting from begining */
++ if (daemon->outpacket.iov_base)
++ memset(daemon->outpacket.iov_base, 0, daemon->outpacket.iov_len);
++
++ save_counter(0);
++}
++
+ int save_counter(int newval)
+ {
+ int ret = outpacket_counter;
++
+ if (newval != -1)
+ outpacket_counter = newval;
+
+diff --git a/src/radv.c b/src/radv.c
+index faa0f6d..39c9217 100644
+--- a/src/radv.c
++++ b/src/radv.c
+@@ -261,7 +261,7 @@ static void send_ra_alias(time_t now, int iface, char *iface_name, struct in6_ad
+ parm.adv_interval = calc_interval(ra_param);
+ parm.prio = calc_prio(ra_param);
+
+- save_counter(0);
++ reset_counter();
+
+ if (!(ra = expand(sizeof(struct ra_packet))))
+ return;
+diff --git a/src/rfc1035.c b/src/rfc1035.c
+index 24d08c1..9e730a9 100644
+--- a/src/rfc1035.c
++++ b/src/rfc1035.c
+@@ -1209,6 +1209,11 @@ size_t answer_request(struct dns_header *header, char *limit, size_t qlen,
+ int nxdomain = 0, auth = 1, trunc = 0, sec_data = 1;
+ struct mx_srv_record *rec;
+ size_t len;
++
++ /* Clear buffer beyond request to avoid risk of
++ information disclosure. */
++ memset(((char *)header) + qlen, 0,
++ (limit - ((char *)header)) - qlen);
+
+ if (ntohs(header->ancount) != 0 ||
+ ntohs(header->nscount) != 0 ||
+diff --git a/src/rfc3315.c b/src/rfc3315.c
+index 3f4d69c..e1271a1 100644
+--- a/src/rfc3315.c
++++ b/src/rfc3315.c
+@@ -89,7 +89,7 @@ unsigned short dhcp6_reply(struct dhcp_context *context, int interface, char *if
+ for (vendor = daemon->dhcp_vendors; vendor; vendor = vendor->next)
+ vendor->netid.next = &vendor->netid;
+
+- save_counter(0);
++ reset_counter();
+ state.context = context;
+ state.interface = interface;
+ state.iface_name = iface_name;
+@@ -2084,7 +2084,7 @@ void relay_upstream6(struct dhcp_relay *relay, ssize_t sz,
+ if (hopcount > 32)
+ return;
+
+- save_counter(0);
++ reset_counter();
+
+ if ((header = put_opt6(NULL, 34)))
+ {
+@@ -2161,7 +2161,7 @@ unsigned short relay_reply6(struct sockaddr_in6 *peer, ssize_t sz, char *arrival
+ (!relay->interface || wildcard_match(relay->interface, arrival_interface)))
+ break;
+
+- save_counter(0);
++ reset_counter();
+
+ if (relay)
+ {
+diff --git a/src/slaac.c b/src/slaac.c
+index 07b8ba4..bd6c9b4 100644
+--- a/src/slaac.c
++++ b/src/slaac.c
+@@ -146,7 +146,7 @@ time_t periodic_slaac(time_t now, struct dhcp_lease *leases)
+ struct ping_packet *ping;
+ struct sockaddr_in6 addr;
+
+- save_counter(0);
++ reset_counter();
+
+ if (!(ping = expand(sizeof(struct ping_packet))))
+ continue;
+diff --git a/src/tftp.c b/src/tftp.c
+index 3e1b5c5..618c406 100644
+--- a/src/tftp.c
++++ b/src/tftp.c
+@@ -662,8 +662,9 @@ static ssize_t tftp_err(int err, char *packet, char *message, char *file)
+ ssize_t len, ret = 4;
+ char *errstr = strerror(errno);
+
++ memset(packet, 0, daemon->packet_buff_sz);
+ sanitise(file);
+-
++
+ mess->op = htons(OP_ERR);
+ mess->err = htons(err);
+ len = snprintf(mess->message, MAXMESSAGE, message, file, errstr);
+@@ -684,6 +685,8 @@ static ssize_t tftp_err_oops(char *packet, char *file)
+ /* return -1 for error, zero for done. */
+ static ssize_t get_block(char *packet, struct tftp_transfer *transfer)
+ {
++ memset(packet, 0, daemon->packet_buff_sz);
++
+ if (transfer->block == 0)
+ {
+ /* send OACK */
+--
+1.7.10.4
+
diff --git a/src/patches/dnsmasq/011-Dont_reset_packet_length_on_transmission_in_case_of_retransmission.patch b/src/patches/dnsmasq/011-Dont_reset_packet_length_on_transmission_in_case_of_retransmission.patch
new file mode 100644
index 0000000..ab8ba28
--- /dev/null
+++ b/src/patches/dnsmasq/011-Dont_reset_packet_length_on_transmission_in_case_of_retransmission.patch
@@ -0,0 +1,54 @@
+From 6b1c464d6de3d7d2afc9b53afe78cda6d6e3316f Mon Sep 17 00:00:00 2001
+From: Simon Kelley <simon(a)thekelleys.org.uk>
+Date: Fri, 22 Jul 2016 20:59:16 +0100
+Subject: [PATCH] Don't reset packet length on transmission, in case of
+ retransmission.
+
+---
+ src/radv.c | 2 +-
+ src/rfc3315.c | 2 +-
+ src/slaac.c | 2 +-
+ 3 files changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/src/radv.c b/src/radv.c
+index 39c9217..ffc37f2 100644
+--- a/src/radv.c
++++ b/src/radv.c
+@@ -528,7 +528,7 @@ static void send_ra_alias(time_t now, int iface, char *iface_name, struct in6_ad
+ }
+
+ while (retry_send(sendto(daemon->icmp6fd, daemon->outpacket.iov_base,
+- save_counter(0), 0, (struct sockaddr *)&addr,
++ save_counter(-1), 0, (struct sockaddr *)&addr,
+ sizeof(addr))));
+
+ }
+diff --git a/src/rfc3315.c b/src/rfc3315.c
+index e1271a1..c7bf46f 100644
+--- a/src/rfc3315.c
++++ b/src/rfc3315.c
+@@ -2127,7 +2127,7 @@ void relay_upstream6(struct dhcp_relay *relay, ssize_t sz,
+ my_syslog(MS_DHCP | LOG_ERR, _("Cannot multicast to DHCPv6 server without correct interface"));
+ }
+
+- send_from(daemon->dhcp6fd, 0, daemon->outpacket.iov_base, save_counter(0), &to, &from, 0);
++ send_from(daemon->dhcp6fd, 0, daemon->outpacket.iov_base, save_counter(-1), &to, &from, 0);
+
+ if (option_bool(OPT_LOG_OPTS))
+ {
+diff --git a/src/slaac.c b/src/slaac.c
+index bd6c9b4..7ecf127 100644
+--- a/src/slaac.c
++++ b/src/slaac.c
+@@ -164,7 +164,7 @@ time_t periodic_slaac(time_t now, struct dhcp_lease *leases)
+ addr.sin6_port = htons(IPPROTO_ICMPV6);
+ addr.sin6_addr = slaac->addr;
+
+- if (sendto(daemon->icmp6fd, daemon->outpacket.iov_base, save_counter(0), 0,
++ if (sendto(daemon->icmp6fd, daemon->outpacket.iov_base, save_counter(-1), 0,
+ (struct sockaddr *)&addr, sizeof(addr)) == -1 &&
+ errno == EHOSTUNREACH)
+ slaac->ping_time = 0; /* Give up */
+--
+1.7.10.4
+
diff --git a/src/patches/dnsmasq/012-Compile-time_check_on_buffer_sizes_for_leasefile_parsing_code.patch b/src/patches/dnsmasq/012-Compile-time_check_on_buffer_sizes_for_leasefile_parsing_code.patch
new file mode 100644
index 0000000..c71f470
--- /dev/null
+++ b/src/patches/dnsmasq/012-Compile-time_check_on_buffer_sizes_for_leasefile_parsing_code.patch
@@ -0,0 +1,103 @@
+From bf4e62c19e619f7edf8d03d58d33a5752f190bfd Mon Sep 17 00:00:00 2001
+From: Simon Kelley <simon(a)thekelleys.org.uk>
+Date: Fri, 22 Jul 2016 21:37:59 +0100
+Subject: [PATCH] Compile-time check on buffer sizes for leasefile parsing
+ code.
+
+---
+ src/dhcp-common.c | 16 ++++++++--------
+ src/dhcp-protocol.h | 4 ++++
+ src/lease.c | 9 ++++++++-
+ src/rfc3315.c | 2 +-
+ 4 files changed, 21 insertions(+), 10 deletions(-)
+
+diff --git a/src/dhcp-common.c b/src/dhcp-common.c
+index 08528e8..ecc752b 100644
+--- a/src/dhcp-common.c
++++ b/src/dhcp-common.c
+@@ -20,11 +20,11 @@
+
+ void dhcp_common_init(void)
+ {
+- /* These each hold a DHCP option max size 255
+- and get a terminating zero added */
+- daemon->dhcp_buff = safe_malloc(256);
+- daemon->dhcp_buff2 = safe_malloc(256);
+- daemon->dhcp_buff3 = safe_malloc(256);
++ /* These each hold a DHCP option max size 255
++ and get a terminating zero added */
++ daemon->dhcp_buff = safe_malloc(DHCP_BUFF_SZ);
++ daemon->dhcp_buff2 = safe_malloc(DHCP_BUFF_SZ);
++ daemon->dhcp_buff3 = safe_malloc(DHCP_BUFF_SZ);
+
+ /* dhcp_packet is used by v4 and v6, outpacket only by v6
+ sizeof(struct dhcp_packet) is as good an initial size as any,
+@@ -855,14 +855,14 @@ void log_context(int family, struct dhcp_context *context)
+ if (context->flags & CONTEXT_RA_STATELESS)
+ {
+ if (context->flags & CONTEXT_TEMPLATE)
+- strncpy(daemon->dhcp_buff, context->template_interface, 256);
++ strncpy(daemon->dhcp_buff, context->template_interface, DHCP_BUFF_SZ);
+ else
+ strcpy(daemon->dhcp_buff, daemon->addrbuff);
+ }
+ else
+ #endif
+- inet_ntop(family, start, daemon->dhcp_buff, 256);
+- inet_ntop(family, end, daemon->dhcp_buff3, 256);
++ inet_ntop(family, start, daemon->dhcp_buff, DHCP_BUFF_SZ);
++ inet_ntop(family, end, daemon->dhcp_buff3, DHCP_BUFF_SZ);
+ my_syslog(MS_DHCP | LOG_INFO,
+ (context->flags & CONTEXT_RA_STATELESS) ?
+ _("%s stateless on %s%.0s%.0s%s") :
+diff --git a/src/dhcp-protocol.h b/src/dhcp-protocol.h
+index a31d829..0ea449b 100644
+--- a/src/dhcp-protocol.h
++++ b/src/dhcp-protocol.h
+@@ -19,6 +19,10 @@
+ #define DHCP_CLIENT_ALTPORT 1068
+ #define PXE_PORT 4011
+
++/* These each hold a DHCP option max size 255
++ and get a terminating zero added */
++#define DHCP_BUFF_SZ 256
++
+ #define BOOTREQUEST 1
+ #define BOOTREPLY 2
+ #define DHCP_COOKIE 0x63825363
+diff --git a/src/lease.c b/src/lease.c
+index 20cac90..ca62cc5 100644
+--- a/src/lease.c
++++ b/src/lease.c
+@@ -65,7 +65,14 @@ void lease_init(time_t now)
+ }
+
+ /* client-id max length is 255 which is 255*2 digits + 254 colons
+- borrow DNS packet buffer which is always larger than 1000 bytes */
++ borrow DNS packet buffer which is always larger than 1000 bytes
++
++ Check various buffers are big enough for the code below */
++
++#if (DHCP_BUFF_SZ < 255) || (MAXDNAME < 64) || (PACKETSZ+MAXDNAME+RRFIXEDSZ < 764)
++# error Buffer size breakage in leasfile parsing.
++#endif
++
+ if (leasestream)
+ while (fscanf(leasestream, "%255s %255s", daemon->dhcp_buff3, daemon->dhcp_buff2) == 2)
+ {
+diff --git a/src/rfc3315.c b/src/rfc3315.c
+index c7bf46f..568b0c8 100644
+--- a/src/rfc3315.c
++++ b/src/rfc3315.c
+@@ -1975,7 +1975,7 @@ static void log6_packet(struct state *state, char *type, struct in6_addr *addr,
+
+ if (addr)
+ {
+- inet_ntop(AF_INET6, addr, daemon->dhcp_buff2, 255);
++ inet_ntop(AF_INET6, addr, daemon->dhcp_buff2, DHCP_BUFF_SZ - 1);
+ strcat(daemon->dhcp_buff2, " ");
+ }
+ else
+--
+1.7.10.4
+
hooks/post-receive
--
IPFire 2.x development tree
reply other threads:[~2016-08-02 15:12 UTC|newest]
Thread overview: [no followups] expand[flat|nested] mbox.gz Atom feed
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20160802151202.5956C1081BA6@git01.ipfire.org \
--to=git@ipfire.org \
--cc=ipfire-scm@lists.ipfire.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox