From 2fc84114c6323bf1e3d3598af52dd1523168c9fc Mon Sep 17 00:00:00 2001 From: Catalin Enache Date: Mon, 18 Apr 2016 15:52:16 +0300 Subject: dhcp: CVE-2016-2774 ISC DHCP 4.1.x before 4.1-ESV-R13 and 4.2.x and 4.3.x before 4.3.4 does not restrict the number of concurrent TCP sessions, which allows remote attackers to cause a denial of service (INSIST assertion failure or request-processing outage) by establishing many sessions. http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-2774 Signed-off-by: Catalin Enache Signed-off-by: Ross Burton --- .../dhcp/dhcp/CVE-2016-2774.patch | 65 ++++++++++++++++++++++ meta/recipes-connectivity/dhcp/dhcp_4.3.3.bb | 1 + 2 files changed, 66 insertions(+) create mode 100644 meta/recipes-connectivity/dhcp/dhcp/CVE-2016-2774.patch diff --git a/meta/recipes-connectivity/dhcp/dhcp/CVE-2016-2774.patch b/meta/recipes-connectivity/dhcp/dhcp/CVE-2016-2774.patch new file mode 100644 index 0000000000..4836dbc2ac --- /dev/null +++ b/meta/recipes-connectivity/dhcp/dhcp/CVE-2016-2774.patch @@ -0,0 +1,65 @@ +From b9f56d578ebfd649b5d829960540859ac6ca931c Mon Sep 17 00:00:00 2001 +From: Catalin Enache +Date: Tue, 12 Apr 2016 18:23:31 +0300 +Subject: [PATCH] Add patch to limit the value of an fd we accept for a + connection. + +By limiting the highest value we accept for an fd we limit the number +of connections. + +Upstream-Status: Backport +CVE: CVE-2016-2774 + +Author: Shawn Routhier +Signed-off-by: Catalin Enache +--- + includes/site.h | 6 ++++++ + omapip/listener.c | 9 +++++++-- + 3 files changed, 18 insertions(+), 2 deletions(-) + +diff --git a/includes/site.h b/includes/site.h +index 9c33de3..df020c8 100644 +--- a/includes/site.h ++++ b/includes/site.h +@@ -290,6 +290,12 @@ + this option will be removed at some time. */ + /* #define INCLUDE_OLD_DHCP_ISC_ERROR_CODES */ + ++/* Limit the value of a file descriptor the serve will use ++ when accepting a connecting request. This can be used to ++ limit the number of TCP connections that the server will ++ allow at one time. A value of 0 means there is no limit.*/ ++#define MAX_FD_VALUE 200 ++ + /* Include definitions for various options. In general these + should be left as is, but if you have already defined one + of these and prefer your definition you can comment the +diff --git a/omapip/listener.c b/omapip/listener.c +index 8bdcdbd..61473cf 100644 +--- a/omapip/listener.c ++++ b/omapip/listener.c +@@ -3,7 +3,7 @@ + Subroutines that support the generic listener object. */ + + /* +- * Copyright (c) 2012,2014 by Internet Systems Consortium, Inc. ("ISC") ++ * Copyright (c) 2012,2014,2016 by Internet Systems Consortium, Inc. ("ISC") + * Copyright (c) 2004,2007,2009 by Internet Systems Consortium, Inc. ("ISC") + * Copyright (c) 1999-2003 by Internet Software Consortium + * +@@ -233,7 +233,12 @@ isc_result_t omapi_accept (omapi_object_t *h) + return ISC_R_NORESOURCES; + return ISC_R_UNEXPECTED; + } +- ++ ++ if ((MAX_FD_VALUE != 0) && (socket > MAX_FD_VALUE)) { ++ close(socket); ++ return (ISC_R_NORESOURCES); ++ } ++ + #if defined (TRACING) + /* If we're recording a trace, remember the connection. */ + if (trace_record ()) { +-- +2.7.4 diff --git a/meta/recipes-connectivity/dhcp/dhcp_4.3.3.bb b/meta/recipes-connectivity/dhcp/dhcp_4.3.3.bb index 970617ff92..4e8cd272b8 100644 --- a/meta/recipes-connectivity/dhcp/dhcp_4.3.3.bb +++ b/meta/recipes-connectivity/dhcp/dhcp_4.3.3.bb @@ -8,6 +8,7 @@ SRC_URI += "file://dhcp-3.0.3-dhclient-dbus.patch;striplevel=0 \ file://replace-ifconfig-route.patch \ file://CVE-2015-8605.patch \ file://0001-site.h-enable-gentle-shutdown.patch \ + file://CVE-2016-2774.patch \ " SRC_URI[md5sum] = "c5577b09c9017cdd319a11ff6364268e" -- cgit 1.2.3-korg