diff options
Diffstat (limited to 'meta/recipes-core/busybox/busybox/CVE-2016-2148.patch')
-rw-r--r-- | meta/recipes-core/busybox/busybox/CVE-2016-2148.patch | 74 |
1 files changed, 0 insertions, 74 deletions
diff --git a/meta/recipes-core/busybox/busybox/CVE-2016-2148.patch b/meta/recipes-core/busybox/busybox/CVE-2016-2148.patch deleted file mode 100644 index af04a7f5bd..0000000000 --- a/meta/recipes-core/busybox/busybox/CVE-2016-2148.patch +++ /dev/null @@ -1,74 +0,0 @@ -From 352f79acbd759c14399e39baef21fc4ffe180ac2 Mon Sep 17 00:00:00 2001 -From: Denys Vlasenko <vda.linux@googlemail.com> -Date: Fri, 26 Feb 2016 15:54:56 +0100 -Subject: [PATCH] udhcpc: fix OPTION_6RD parsing (could overflow its malloced - buffer) - -Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com> - -Upstream-Status: Backport -CVE: CVE-2016-2148 -https://git.busybox.net/busybox/commit/?id=352f79 - -Signed-off-by: Armin Kuster <akuster@mvista.com> - ---- - networking/udhcp/common.c | 15 +++++++++++++-- - networking/udhcp/dhcpc.c | 4 ++-- - 2 files changed, 15 insertions(+), 4 deletions(-) - -Index: busybox-1.23.2/networking/udhcp/common.c -=================================================================== ---- busybox-1.23.2.orig/networking/udhcp/common.c -+++ busybox-1.23.2/networking/udhcp/common.c -@@ -142,7 +142,7 @@ const char dhcp_option_strings[] ALIGN1 - * udhcp_str2optset: to determine how many bytes to allocate. - * xmalloc_optname_optval: to estimate string length - * from binary option length: (option[LEN] / dhcp_option_lengths[opt_type]) -- * is the number of elements, multiply in by one element's string width -+ * is the number of elements, multiply it by one element's string width - * (len_of_option_as_string[opt_type]) and you know how wide string you need. - */ - const uint8_t dhcp_option_lengths[] ALIGN1 = { -@@ -162,7 +162,18 @@ const uint8_t dhcp_option_lengths[] ALIG - [OPTION_S32] = 4, - /* Just like OPTION_STRING, we use minimum length here */ - [OPTION_STATIC_ROUTES] = 5, -- [OPTION_6RD] = 22, /* ignored by udhcp_str2optset */ -+ [OPTION_6RD] = 12, /* ignored by udhcp_str2optset */ -+ /* The above value was chosen as follows: -+ * len_of_option_as_string[] for this option is >60: it's a string of the form -+ * "32 128 ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff 255.255.255.255 ". -+ * Each additional ipv4 address takes 4 bytes in binary option and appends -+ * another "255.255.255.255 " 16-byte string. We can set [OPTION_6RD] = 4 -+ * but this severely overestimates string length: instead of 16 bytes, -+ * it adds >60 for every 4 bytes in binary option. -+ * We cheat and declare here that option is in units of 12 bytes. -+ * This adds more than 60 bytes for every three ipv4 addresses - more than enough. -+ * (Even 16 instead of 12 should work, but let's be paranoid). -+ */ - }; - - -Index: busybox-1.23.2/networking/udhcp/dhcpc.c -=================================================================== ---- busybox-1.23.2.orig/networking/udhcp/dhcpc.c -+++ busybox-1.23.2/networking/udhcp/dhcpc.c -@@ -103,7 +103,7 @@ static const uint8_t len_of_option_as_st - [OPTION_IP ] = sizeof("255.255.255.255 "), - [OPTION_IP_PAIR ] = sizeof("255.255.255.255 ") * 2, - [OPTION_STATIC_ROUTES ] = sizeof("255.255.255.255/32 255.255.255.255 "), -- [OPTION_6RD ] = sizeof("32 128 ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff 255.255.255.255 "), -+ [OPTION_6RD ] = sizeof("132 128 ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff 255.255.255.255 "), - [OPTION_STRING ] = 1, - [OPTION_STRING_HOST ] = 1, - #if ENABLE_FEATURE_UDHCP_RFC3397 -@@ -214,7 +214,7 @@ static NOINLINE char *xmalloc_optname_op - type = optflag->flags & OPTION_TYPE_MASK; - optlen = dhcp_option_lengths[type]; - upper_length = len_of_option_as_string[type] -- * ((unsigned)(len + optlen - 1) / (unsigned)optlen); -+ * ((unsigned)(len + optlen) / (unsigned)optlen); - - dest = ret = xmalloc(upper_length + strlen(opt_name) + 2); - dest += sprintf(ret, "%s=", opt_name); |