openwrt/package/utils/busybox/patches/006-upstream_CVE-2011-2716_fixes.patch
John Crispin 4ebf19b48f packages: clean up the package folder
Signed-off-by: John Crispin <blogic@openwrt.org>

SVN-Revision: 37007
2013-06-21 16:54:37 +00:00

165 lines
6.5 KiB
Diff

--- a/networking/udhcp/common.c
+++ b/networking/udhcp/common.c
@@ -29,16 +29,16 @@ const struct dhcp_optflag dhcp_optflags[
// { OPTION_IP | OPTION_LIST , 0x07 }, /* DHCP_LOG_SERVER */
// { OPTION_IP | OPTION_LIST , 0x08 }, /* DHCP_COOKIE_SERVER */
{ OPTION_IP | OPTION_LIST , 0x09 }, /* DHCP_LPR_SERVER */
- { OPTION_STRING | OPTION_REQ, 0x0c }, /* DHCP_HOST_NAME */
+ { OPTION_STRING_HOST | OPTION_REQ, 0x0c }, /* DHCP_HOST_NAME */
{ OPTION_U16 , 0x0d }, /* DHCP_BOOT_SIZE */
- { OPTION_STRING | OPTION_REQ, 0x0f }, /* DHCP_DOMAIN_NAME */
+ { OPTION_STRING_HOST | OPTION_REQ, 0x0f }, /* DHCP_DOMAIN_NAME */
{ OPTION_IP , 0x10 }, /* DHCP_SWAP_SERVER */
{ OPTION_STRING , 0x11 }, /* DHCP_ROOT_PATH */
{ OPTION_U8 , 0x17 }, /* DHCP_IP_TTL */
{ OPTION_U16 , 0x1a }, /* DHCP_MTU */
{ OPTION_IP | OPTION_REQ, 0x1c }, /* DHCP_BROADCAST */
{ OPTION_IP_PAIR | OPTION_LIST , 0x21 }, /* DHCP_ROUTES */
- { OPTION_STRING , 0x28 }, /* DHCP_NIS_DOMAIN */
+ { OPTION_STRING_HOST , 0x28 }, /* DHCP_NIS_DOMAIN */
{ OPTION_IP | OPTION_LIST , 0x29 }, /* DHCP_NIS_SERVER */
{ OPTION_IP | OPTION_LIST | OPTION_REQ, 0x2a }, /* DHCP_NTP_SERVER */
{ OPTION_IP | OPTION_LIST , 0x2c }, /* DHCP_WINS_SERVER */
@@ -46,7 +46,7 @@ const struct dhcp_optflag dhcp_optflags[
{ OPTION_IP , 0x36 }, /* DHCP_SERVER_ID */
{ OPTION_STRING , 0x38 }, /* DHCP_ERR_MESSAGE */
//TODO: must be combined with 'sname' and 'file' handling:
- { OPTION_STRING , 0x42 }, /* DHCP_TFTP_SERVER_NAME */
+ { OPTION_STRING_HOST , 0x42 }, /* DHCP_TFTP_SERVER_NAME */
{ OPTION_STRING , 0x43 }, /* DHCP_BOOT_FILE */
//TODO: not a string, but a set of LASCII strings:
// { OPTION_STRING , 0x4D }, /* DHCP_USER_CLASS */
@@ -143,6 +143,7 @@ const uint8_t dhcp_option_lengths[] ALIG
[OPTION_IP_PAIR] = 8,
// [OPTION_BOOLEAN] = 1,
[OPTION_STRING] = 1, /* ignored by udhcp_str2optset */
+ [OPTION_STRING_HOST] = 1, /* ignored by udhcp_str2optset */
#if ENABLE_FEATURE_UDHCP_RFC3397
[OPTION_DNS_STRING] = 1, /* ignored by both udhcp_str2optset and xmalloc_optname_optval */
[OPTION_SIP_SERVERS] = 1,
@@ -411,7 +412,9 @@ static NOINLINE void attach_option(
/* actually 255 is ok too, but adding a space can overlow it */
existing->data = xrealloc(existing->data, OPT_DATA + 1 + old_len + length);
- if ((optflag->flags & OPTION_TYPE_MASK) == OPTION_STRING) {
+ if ((optflag->flags & OPTION_TYPE_MASK) == OPTION_STRING
+ || (optflag->flags & OPTION_TYPE_MASK) == OPTION_STRING_HOST
+ ) {
/* add space separator between STRING options in a list */
existing->data[OPT_DATA + old_len] = ' ';
old_len++;
@@ -475,6 +478,7 @@ int FAST_FUNC udhcp_str2optset(const cha
retval = udhcp_str2nip(val, buffer + 4);
break;
case OPTION_STRING:
+ case OPTION_STRING_HOST:
#if ENABLE_FEATURE_UDHCP_RFC3397
case OPTION_DNS_STRING:
#endif
--- a/networking/udhcp/common.h
+++ b/networking/udhcp/common.h
@@ -80,6 +80,9 @@ enum {
OPTION_IP = 1,
OPTION_IP_PAIR,
OPTION_STRING,
+ /* Opts of STRING_HOST type will be sanitized before they are passed
+ * to udhcpc script's environment: */
+ OPTION_STRING_HOST,
// OPTION_BOOLEAN,
OPTION_U8,
OPTION_U16,
--- a/networking/udhcp/dhcpc.c
+++ b/networking/udhcp/dhcpc.c
@@ -101,6 +101,7 @@ static const uint8_t len_of_option_as_st
[OPTION_IP_PAIR ] = sizeof("255.255.255.255 ") * 2,
[OPTION_STATIC_ROUTES ] = sizeof("255.255.255.255/32 255.255.255.255 "),
[OPTION_STRING ] = 1,
+ [OPTION_STRING_HOST ] = 1,
#if ENABLE_FEATURE_UDHCP_RFC3397
[OPTION_DNS_STRING ] = 1, /* unused */
/* Hmmm, this severely overestimates size if SIP_SERVERS option
@@ -135,6 +136,63 @@ static int mton(uint32_t mask)
return i;
}
+/* Check if a given label represents a valid DNS label
+ * Return pointer to the first character after the label upon success,
+ * NULL otherwise.
+ * See RFC1035, 2.3.1
+ */
+/* We don't need to be particularly anal. For example, allowing _, hyphen
+ * at the end, or leading and trailing dots would be ok, since it
+ * can't be used for attacks. (Leading hyphen can be, if someone uses
+ * cmd "$hostname"
+ * in the script: then hostname may be treated as an option)
+ */
+static const char *valid_domain_label(const char *label)
+{
+ unsigned char ch;
+ unsigned pos = 0;
+
+ for (;;) {
+ ch = *label;
+ if ((ch|0x20) < 'a' || (ch|0x20) > 'z') {
+ if (pos == 0) {
+ /* label must begin with letter */
+ return NULL;
+ }
+ if (ch < '0' || ch > '9') {
+ if (ch == '\0' || ch == '.')
+ return label;
+ /* DNS allows only '-', but we are more permissive */
+ if (ch != '-' && ch != '_')
+ return NULL;
+ }
+ }
+ label++;
+ pos++;
+ //Do we want this?
+ //if (pos > 63) /* NS_MAXLABEL; labels must be 63 chars or less */
+ // return NULL;
+ }
+}
+
+/* Check if a given name represents a valid DNS name */
+/* See RFC1035, 2.3.1 */
+static int good_hostname(const char *name)
+{
+ //const char *start = name;
+
+ for (;;) {
+ name = valid_domain_label(name);
+ if (!name)
+ return 0;
+ if (!name[0])
+ return 1;
+ //Do we want this?
+ //return ((name - start) < 1025); /* NS_MAXDNAME */
+ name++;
+ }
+}
+
/* Create "opt_name=opt_value" string */
static NOINLINE char *xmalloc_optname_optval(uint8_t *option, const struct dhcp_optflag *optflag, const char *opt_name)
{
@@ -185,8 +243,11 @@ static NOINLINE char *xmalloc_optname_op
break;
}
case OPTION_STRING:
+ case OPTION_STRING_HOST:
memcpy(dest, option, len);
dest[len] = '\0';
+ if (type == OPTION_STRING_HOST && !good_hostname(dest))
+ safe_strncpy(dest, "bad", len);
return ret; /* Short circuit this case */
case OPTION_STATIC_ROUTES: {
/* Option binary format:
@@ -314,6 +375,7 @@ static char **fill_envp(struct dhcp_pack
/* +1 element for each option, +2 for subnet option: */
if (packet) {
/* note: do not search for "pad" (0) and "end" (255) options */
+//TODO: change logic to scan packet _once_
for (i = 1; i < 255; i++) {
temp = udhcp_get_option(packet, i);
if (temp) {