Package: pump
Version: 0.8.24-7.1
Severity: grave
Tags: security
There is a missing check in source file dhcp.c, function
handleTransaction(), line 958 when copying body of the server response to
struct bootpRequest bresp. Ethernet packet length can be greater than
sizeof(*bresp) == 548 but handleTransaction() only checks (line 914) that
j - sizeof (*ipHdr) - sizeof (*udpHdr) is non-negative. This allows
attacker to overwrite up to ETH_FRAME_LEN - sizeof(*ipHdr) -
sizeof(*udpHdr) - sizeof(*bresp) bytes of the stack memory. If compiler
hardening is disabled then this vulnerability can lead to execution of
arbitrary code. I am not sure whether this is practically exploitable when
"-fstack-protector" is enabled.
I suggest applying the attached patch, however it is not tested.
--- dhcp.c 2019-03-01 00:00:00.000000000 +0000
+++ dhcp.c 2019-07-30 00:00:00.000000000 +0000
@@ -946,6 +946,13 @@ static char * handleTransaction(int s, s
continue;
if (udpHdr->dest != bootp_client_port)
continue;
+
+ /* Relevant responses cannot exceed sizeof (*bresp) due to
+ the value of DHCP_OPTION_MAXSIZE being set to it in our
+ requests. */
+ if (j - sizeof (*ipHdr) - sizeof (*udpHdr) > sizeof (*bresp))
+ continue;
+
/* Go on with this packet; it looks sane */
/* Originally copied sizeof (*bresp) - this is a security
