dhcpcd DoS attack

2014.07.31

Credit: Roy

Risk: Medium

Local: No

Remote: Yes

CVE: N/A

CWE: N/A

dhcpcd-4.0.0 though to dhcpcd.6.4.2 are vulnerable to a DoS attack.
As reported by Tobias Stoeckmann:
In function get_option, the DHO_OPTIONSOVERLOADED option checks if there
are overloaded options, like bootfile or servername. It tries to make
sure that it's called only once, BUT overwrites that information after
receiving a DHO_END. A malicious server could set the option
DHO_OPTIONSOVERLOADED yet another time in the bootfile or servername
section, which will result in another jump -- maybe into the same area.
This has been fixed upstream here:
http://roy.marples.name/projects/dhcpcd/ci/1d2b93aa5ce25a8a710082fe2d36a6bf7f5794d5?sbs=0
Index: dhcp.c
==================================================================
--- dhcp.c
+++ dhcp.c
@@ -201,13 +201,16 @@
e = p + sizeof(dhcp->servername);
} else
goto exit;
break;
case DHO_OPTIONSOVERLOADED:
- /* Ensure we only get this option once */
+ /* Ensure we only get this option once by setting
+ * the last bit as well as the value.
+ * This is valid because only the first two bits
+ * actually mean anything in RFC2132 Section 9.3 */
if (!overl)
- overl = p[1];
+ overl = 0x80 | p[1];
break;
}
l = *p++;
p += l;
}
I would like to request a CVE for the issue.
dhcpcd-6.4.3 has been released with the above fix.
Thanks
Roy

References:

http://roy.marples.name/projects/dhcpcd/ci/1d2b93aa5ce25a8a710082fe2d36a6bf7f5794d5?sbs=0

http://seclists.org/oss-sec/2014/q3/261

Vote for this issue:

50%

Comment it here.

Nick (*)

Email (*)

Video

Text (*)

(*) - required fields.

{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1

{{ x.comment }}