diff options
| author | Florian Obser <florian@cvs.openbsd.org> | 2022-03-21 16:25:48 +0000 |
|---|---|---|
| committer | Florian Obser <florian@cvs.openbsd.org> | 2022-03-21 16:25:48 +0000 |
| commit | 88060819ab2847dacd71c738e9a054dc0f24e840 (patch) | |
| tree | bdc79cbf45b5c1ca5a0ca493593f057107c28cd1 /usr.sbin | |
| parent | d5cdfdd85cd83aa40cea189a3346a1a68dc8a697 (diff) | |
Prevent crash of unprivileged engine process (pledged stdio).
The length field of a DNS label in the DNS search list option is an 8
bit unsigned value. parse_dnssl() treats the search list option as an
array of char, which are signed on most archs. When we read this value
into an int variable it gets sign extended, allowing it to bypass
sanity checks and eventually we pass it as the length to memcpy which
treats it as a huge unsigned value leading to a heap overflow.
An easy fix would be change the signature of parse_dnssl to
parse_dnssl(uint8_t* data, int datalen).
However, the DNS search list option is unused and the function fails
to check if the parsed value is a valid domain name. The function is
also getting in the way of future work so it's best to just delete it.
The problem was found and reported by qualys, thanks!
OK bluhm
Diffstat (limited to 'usr.sbin')
| -rw-r--r-- | usr.sbin/slaacctl/slaacctl.c | 8 |
1 files changed, 1 insertions, 7 deletions
diff --git a/usr.sbin/slaacctl/slaacctl.c b/usr.sbin/slaacctl/slaacctl.c index aa80b999c49..6128785db2a 100644 --- a/usr.sbin/slaacctl/slaacctl.c +++ b/usr.sbin/slaacctl/slaacctl.c @@ -1,4 +1,4 @@ -/* $OpenBSD: slaacctl.c,v 1.22 2021/03/21 18:25:24 florian Exp $ */ +/* $OpenBSD: slaacctl.c,v 1.23 2022/03/21 16:25:47 florian Exp $ */ /* * Copyright (c) 2005 Claudio Jeker <claudio@openbsd.org> @@ -177,7 +177,6 @@ show_interface_msg(struct imsg *imsg) struct ctl_engine_info_ra *cei_ra; struct ctl_engine_info_ra_prefix *cei_ra_prefix; struct ctl_engine_info_ra_rdns *cei_ra_rdns; - struct ctl_engine_info_ra_dnssl *cei_ra_dnssl; struct ctl_engine_info_address_proposal *cei_addr_proposal; struct ctl_engine_info_dfr_proposal *cei_dfr_proposal; struct ctl_engine_info_rdns_proposal *cei_rdns_proposal; @@ -257,11 +256,6 @@ show_interface_msg(struct imsg *imsg) &cei_ra_rdns->rdns, ntopbuf, INET6_ADDRSTRLEN), cei_ra_rdns->lifetime); break; - case IMSG_CTL_SHOW_INTERFACE_INFO_RA_DNSSL: - cei_ra_dnssl = imsg->data; - printf("\t\tsearch: %s, lifetime: %u\n", cei_ra_dnssl->dnssl, - cei_ra_dnssl->lifetime); - break; case IMSG_CTL_SHOW_INTERFACE_INFO_ADDR_PROPOSALS: printf("\tAddress proposals\n"); break; |