mirror of
https://github.com/sheumann/hush.git
synced 2024-12-24 12:29:47 +00:00
udhcpc: sanitize hostnames in incoming packets. Closes 3979.
The following options are replaced with string "bad" if they contain malformed hostname: HOST_NAME, DOMAIN_NAME, NIS_DOMAIN, TFTP_SERVER_NAME function old new delta xmalloc_optname_optval 850 888 +38 attach_option 440 443 +3 len_of_option_as_string 13 14 +1 dhcp_option_lengths 13 14 +1 ------------------------------------------------------------------------------ (add/remove: 0/0 grow/shrink: 4/0 up/down: 43/0) Total: 43 bytes Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
This commit is contained in:
parent
53782d9221
commit
7280d2017d
@ -29,9 +29,9 @@ const struct dhcp_optflag dhcp_optflags[] = {
|
|||||||
// { OPTION_IP | OPTION_LIST , 0x07 }, /* DHCP_LOG_SERVER */
|
// { OPTION_IP | OPTION_LIST , 0x07 }, /* DHCP_LOG_SERVER */
|
||||||
// { OPTION_IP | OPTION_LIST , 0x08 }, /* DHCP_COOKIE_SERVER */
|
// { OPTION_IP | OPTION_LIST , 0x08 }, /* DHCP_COOKIE_SERVER */
|
||||||
{ OPTION_IP | OPTION_LIST , 0x09 }, /* DHCP_LPR_SERVER */
|
{ OPTION_IP | OPTION_LIST , 0x09 }, /* DHCP_LPR_SERVER */
|
||||||
{ OPTION_STRING | OPTION_REQ, 0x0c }, /* DHCP_HOST_NAME */
|
{ OPTION_STRING_HOST | OPTION_REQ, 0x0c }, /* DHCP_HOST_NAME */
|
||||||
{ OPTION_U16 , 0x0d }, /* DHCP_BOOT_SIZE */
|
{ OPTION_U16 , 0x0d }, /* DHCP_BOOT_SIZE */
|
||||||
{ OPTION_STRING | OPTION_REQ, 0x0f }, /* DHCP_DOMAIN_NAME */
|
{ OPTION_STRING_HOST | OPTION_REQ, 0x0f }, /* DHCP_DOMAIN_NAME */
|
||||||
{ OPTION_IP , 0x10 }, /* DHCP_SWAP_SERVER */
|
{ OPTION_IP , 0x10 }, /* DHCP_SWAP_SERVER */
|
||||||
{ OPTION_STRING , 0x11 }, /* DHCP_ROOT_PATH */
|
{ OPTION_STRING , 0x11 }, /* DHCP_ROOT_PATH */
|
||||||
{ OPTION_U8 , 0x17 }, /* DHCP_IP_TTL */
|
{ OPTION_U8 , 0x17 }, /* DHCP_IP_TTL */
|
||||||
@ -41,7 +41,7 @@ const struct dhcp_optflag dhcp_optflags[] = {
|
|||||||
//server would let us know anyway?
|
//server would let us know anyway?
|
||||||
{ OPTION_IP | OPTION_REQ, 0x1c }, /* DHCP_BROADCAST */
|
{ OPTION_IP | OPTION_REQ, 0x1c }, /* DHCP_BROADCAST */
|
||||||
{ OPTION_IP_PAIR | OPTION_LIST , 0x21 }, /* DHCP_ROUTES */
|
{ OPTION_IP_PAIR | OPTION_LIST , 0x21 }, /* DHCP_ROUTES */
|
||||||
{ OPTION_STRING , 0x28 }, /* DHCP_NIS_DOMAIN */
|
{ OPTION_STRING_HOST , 0x28 }, /* DHCP_NIS_DOMAIN */
|
||||||
{ OPTION_IP | OPTION_LIST , 0x29 }, /* DHCP_NIS_SERVER */
|
{ OPTION_IP | OPTION_LIST , 0x29 }, /* DHCP_NIS_SERVER */
|
||||||
{ OPTION_IP | OPTION_LIST | OPTION_REQ, 0x2a }, /* DHCP_NTP_SERVER */
|
{ OPTION_IP | OPTION_LIST | OPTION_REQ, 0x2a }, /* DHCP_NTP_SERVER */
|
||||||
{ OPTION_IP | OPTION_LIST , 0x2c }, /* DHCP_WINS_SERVER */
|
{ OPTION_IP | OPTION_LIST , 0x2c }, /* DHCP_WINS_SERVER */
|
||||||
@ -49,7 +49,7 @@ const struct dhcp_optflag dhcp_optflags[] = {
|
|||||||
{ OPTION_IP , 0x36 }, /* DHCP_SERVER_ID */
|
{ OPTION_IP , 0x36 }, /* DHCP_SERVER_ID */
|
||||||
{ OPTION_STRING , 0x38 }, /* DHCP_ERR_MESSAGE */
|
{ OPTION_STRING , 0x38 }, /* DHCP_ERR_MESSAGE */
|
||||||
//TODO: must be combined with 'sname' and 'file' handling:
|
//TODO: must be combined with 'sname' and 'file' handling:
|
||||||
{ OPTION_STRING , 0x42 }, /* DHCP_TFTP_SERVER_NAME */
|
{ OPTION_STRING_HOST , 0x42 }, /* DHCP_TFTP_SERVER_NAME */
|
||||||
{ OPTION_STRING , 0x43 }, /* DHCP_BOOT_FILE */
|
{ OPTION_STRING , 0x43 }, /* DHCP_BOOT_FILE */
|
||||||
//TODO: not a string, but a set of LASCII strings:
|
//TODO: not a string, but a set of LASCII strings:
|
||||||
// { OPTION_STRING , 0x4D }, /* DHCP_USER_CLASS */
|
// { OPTION_STRING , 0x4D }, /* DHCP_USER_CLASS */
|
||||||
@ -148,6 +148,7 @@ const uint8_t dhcp_option_lengths[] ALIGN1 = {
|
|||||||
[OPTION_IP_PAIR] = 8,
|
[OPTION_IP_PAIR] = 8,
|
||||||
// [OPTION_BOOLEAN] = 1,
|
// [OPTION_BOOLEAN] = 1,
|
||||||
[OPTION_STRING] = 1, /* ignored by udhcp_str2optset */
|
[OPTION_STRING] = 1, /* ignored by udhcp_str2optset */
|
||||||
|
[OPTION_STRING_HOST] = 1, /* ignored by udhcp_str2optset */
|
||||||
#if ENABLE_FEATURE_UDHCP_RFC3397
|
#if ENABLE_FEATURE_UDHCP_RFC3397
|
||||||
[OPTION_DNS_STRING] = 1, /* ignored by both udhcp_str2optset and xmalloc_optname_optval */
|
[OPTION_DNS_STRING] = 1, /* ignored by both udhcp_str2optset and xmalloc_optname_optval */
|
||||||
[OPTION_SIP_SERVERS] = 1,
|
[OPTION_SIP_SERVERS] = 1,
|
||||||
@ -417,7 +418,9 @@ static NOINLINE void attach_option(
|
|||||||
/* actually 255 is ok too, but adding a space can overlow it */
|
/* actually 255 is ok too, but adding a space can overlow it */
|
||||||
|
|
||||||
existing->data = xrealloc(existing->data, OPT_DATA + 1 + old_len + length);
|
existing->data = xrealloc(existing->data, OPT_DATA + 1 + old_len + length);
|
||||||
if ((optflag->flags & OPTION_TYPE_MASK) == OPTION_STRING) {
|
if ((optflag->flags & OPTION_TYPE_MASK) == OPTION_STRING
|
||||||
|
|| (optflag->flags & OPTION_TYPE_MASK) == OPTION_STRING_HOST
|
||||||
|
) {
|
||||||
/* add space separator between STRING options in a list */
|
/* add space separator between STRING options in a list */
|
||||||
existing->data[OPT_DATA + old_len] = ' ';
|
existing->data[OPT_DATA + old_len] = ' ';
|
||||||
old_len++;
|
old_len++;
|
||||||
@ -481,6 +484,7 @@ int FAST_FUNC udhcp_str2optset(const char *const_str, void *arg)
|
|||||||
retval = udhcp_str2nip(val, buffer + 4);
|
retval = udhcp_str2nip(val, buffer + 4);
|
||||||
break;
|
break;
|
||||||
case OPTION_STRING:
|
case OPTION_STRING:
|
||||||
|
case OPTION_STRING_HOST:
|
||||||
#if ENABLE_FEATURE_UDHCP_RFC3397
|
#if ENABLE_FEATURE_UDHCP_RFC3397
|
||||||
case OPTION_DNS_STRING:
|
case OPTION_DNS_STRING:
|
||||||
#endif
|
#endif
|
||||||
|
@ -80,6 +80,9 @@ enum {
|
|||||||
OPTION_IP = 1,
|
OPTION_IP = 1,
|
||||||
OPTION_IP_PAIR,
|
OPTION_IP_PAIR,
|
||||||
OPTION_STRING,
|
OPTION_STRING,
|
||||||
|
/* Opts of STRING_HOST type will be sanitized before they are passed
|
||||||
|
* to udhcpc script's environment: */
|
||||||
|
OPTION_STRING_HOST,
|
||||||
// OPTION_BOOLEAN,
|
// OPTION_BOOLEAN,
|
||||||
OPTION_U8,
|
OPTION_U8,
|
||||||
OPTION_U16,
|
OPTION_U16,
|
||||||
|
@ -135,6 +135,63 @@ static int mton(uint32_t mask)
|
|||||||
return i;
|
return i;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
/* Check if a given label represents a valid DNS label
|
||||||
|
* Return pointer to the first character after the label upon success,
|
||||||
|
* NULL otherwise.
|
||||||
|
* See RFC1035, 2.3.1
|
||||||
|
*/
|
||||||
|
/* We don't need to be particularly anal. For example, allowing _, hyphen
|
||||||
|
* at the end, or leading and trailing dots would be ok, since it
|
||||||
|
* can't be used for attacks. (Leading hyphen can be, if someone uses
|
||||||
|
* cmd "$hostname"
|
||||||
|
* in the script: then hostname may be treated as an option)
|
||||||
|
*/
|
||||||
|
static const char *valid_domain_label(const char *label)
|
||||||
|
{
|
||||||
|
unsigned char ch;
|
||||||
|
unsigned pos = 0;
|
||||||
|
|
||||||
|
for (;;) {
|
||||||
|
ch = *label;
|
||||||
|
if ((ch|0x20) < 'a' || (ch|0x20) > 'z') {
|
||||||
|
if (pos == 0) {
|
||||||
|
/* label must begin with letter */
|
||||||
|
return NULL;
|
||||||
|
}
|
||||||
|
if (ch < '0' || ch > '9') {
|
||||||
|
if (ch == '\0' || ch == '.')
|
||||||
|
return label;
|
||||||
|
/* DNS allows only '-', but we are more permissive */
|
||||||
|
if (ch != '-' && ch != '_')
|
||||||
|
return NULL;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
label++;
|
||||||
|
pos++;
|
||||||
|
//Do we want this?
|
||||||
|
//if (pos > 63) /* NS_MAXLABEL; labels must be 63 chars or less */
|
||||||
|
// return NULL;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
/* Check if a given name represents a valid DNS name */
|
||||||
|
/* See RFC1035, 2.3.1 */
|
||||||
|
static int good_hostname(const char *name)
|
||||||
|
{
|
||||||
|
//const char *start = name;
|
||||||
|
|
||||||
|
for (;;) {
|
||||||
|
name = valid_domain_label(name);
|
||||||
|
if (!name)
|
||||||
|
return 0;
|
||||||
|
if (!name[0])
|
||||||
|
return 1;
|
||||||
|
//Do we want this?
|
||||||
|
//return ((name - start) < 1025); /* NS_MAXDNAME */
|
||||||
|
name++;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
/* Create "opt_name=opt_value" string */
|
/* Create "opt_name=opt_value" string */
|
||||||
static NOINLINE char *xmalloc_optname_optval(uint8_t *option, const struct dhcp_optflag *optflag, const char *opt_name)
|
static NOINLINE char *xmalloc_optname_optval(uint8_t *option, const struct dhcp_optflag *optflag, const char *opt_name)
|
||||||
{
|
{
|
||||||
@ -187,8 +244,11 @@ static NOINLINE char *xmalloc_optname_optval(uint8_t *option, const struct dhcp_
|
|||||||
* the case of list of options.
|
* the case of list of options.
|
||||||
*/
|
*/
|
||||||
case OPTION_STRING:
|
case OPTION_STRING:
|
||||||
|
case OPTION_STRING_HOST:
|
||||||
memcpy(dest, option, len);
|
memcpy(dest, option, len);
|
||||||
dest[len] = '\0';
|
dest[len] = '\0';
|
||||||
|
if (type == OPTION_STRING_HOST && !good_hostname(dest))
|
||||||
|
safe_strncpy(dest, "bad", len);
|
||||||
return ret;
|
return ret;
|
||||||
case OPTION_STATIC_ROUTES: {
|
case OPTION_STATIC_ROUTES: {
|
||||||
/* Option binary format:
|
/* Option binary format:
|
||||||
@ -368,6 +428,7 @@ static char **fill_envp(struct dhcp_packet *packet)
|
|||||||
/* +1 element for each option, +2 for subnet option: */
|
/* +1 element for each option, +2 for subnet option: */
|
||||||
if (packet) {
|
if (packet) {
|
||||||
/* note: do not search for "pad" (0) and "end" (255) options */
|
/* note: do not search for "pad" (0) and "end" (255) options */
|
||||||
|
//TODO: change logic to scan packet _once_
|
||||||
for (i = 1; i < 255; i++) {
|
for (i = 1; i < 255; i++) {
|
||||||
temp = udhcp_get_option(packet, i);
|
temp = udhcp_get_option(packet, i);
|
||||||
if (temp) {
|
if (temp) {
|
||||||
|
Loading…
Reference in New Issue
Block a user