rpm/atftp
SHA256
1
0
Fork 0
forked from pool/atftp
Code Pull Requests Activity
fa4c7b8743
atftp/atftp-CVE-2020-6097.patch
Pedro Monreal Gonzalez fa4c7b8743 Accepting request 843270 from home:pmonrealgonzalez:branches:network 
- Security fix: [bsc#1176437, CVE-2020-6097]
  * A specially crafted sequence of RRQ-Multicast requests can
    trigger an assert() call resulting denial-of-service.
- Add atftp-CVE-2020-6097.patch

OBS-URL: https://build.opensuse.org/request/show/843270
OBS-URL: https://build.opensuse.org/package/show/network/atftp?expand=0&rev=44
2020-10-25 17:44:03 +00:00

101 lines
3.5 KiB
Diff
Raw Blame History

From 96409ef3b9ca061f9527cfaafa778105cf15d994 Mon Sep 17 00:00:00 2001
From: Peter Kaestle <peter.kaestle@nokia.com>
Date: Wed, 14 Oct 2020 14:02:41 +0200
Subject: [PATCH] Fix for DoS issue CVE-2020-6097
"sockaddr_print_addr" of tftpd can be triggered remotely to call
assert(), which will crash the tftpd daemon. See:
https://talosintelligence.com/vulnerability_reports/TALOS-2020-1029
"sockaddr_print_addr" originaly had two features:
1) returning pointer to string of the incoming ip address
2) checking whether ss_family of the connection is supported
To fix the issue, a separate function "sockaddr_family_supported" is
used to take care of 2) and "sockaddr_print_addr" returns an error
message string for unsupported cases when using 1) insert of calling
assert().
---
tftp_def.c | 11 ++++++++++-
tftp_def.h | 1 +
tftpd.c | 5 +++++
tftpd_mtftp.c | 5 +++++
4 files changed, 21 insertions(+), 1 deletion(-)
diff --git a/tftp_def.c b/tftp_def.c
index d457c2a..428a930 100644
--- a/tftp_def.c
+++ b/tftp_def.c
@@ -180,6 +180,15 @@ int Gethostbyname(char *addr, struct hostent *host)
return OK;
}
+int
+sockaddr_family_supported(const struct sockaddr_storage *ss)
+{
+ if (ss->ss_family == AF_INET || ss->ss_family == AF_INET6)
+ return 1;
+ else
+ return 0;
+}
+
char *
sockaddr_print_addr(const struct sockaddr_storage *ss, char *buf, size_t len)
{
@@ -189,7 +198,7 @@ sockaddr_print_addr(const struct sockaddr_storage *ss, char *buf, size_t len)
else if (ss->ss_family == AF_INET6)
addr = &((const struct sockaddr_in6 *)ss)->sin6_addr;
else
- assert(!"sockaddr_print: unsupported address family");
+ return "sockaddr_print: unsupported address family";
return (char *)inet_ntop(ss->ss_family, addr, buf, len);
}
diff --git a/tftp_def.h b/tftp_def.h
index 0841746..458e310 100644
--- a/tftp_def.h
+++ b/tftp_def.h
@@ -54,6 +54,7 @@ int print_eng(double value, char *string, int size, char *format);
inline char *Strncpy(char *to, const char *from, size_t size);
int Gethostbyname(char *addr, struct hostent *host);
+int sockaddr_family_supported(const struct sockaddr_storage *ss);
char *sockaddr_print_addr(const struct sockaddr_storage *, char *, size_t);
#define SOCKADDR_PRINT_ADDR_LEN INET6_ADDRSTRLEN
uint16_t sockaddr_get_port(const struct sockaddr_storage *);
diff --git a/tftpd.c b/tftpd.c
index 0b6f6a5..a7561a5 100644
--- a/tftpd.c
+++ b/tftpd.c
@@ -644,6 +644,11 @@ void *tftpd_receive_request(void *arg)
}
#ifdef HAVE_WRAP
+ if (!abort && !sockaddr_family_supported(&data->client_info->client))
+ {
+ logger(LOG_ERR, "Connection from unsupported network address family refused");
+ abort = 1;
+ }
if (!abort)
{
/* Verify the client has access. We don't look for the name but
diff --git a/tftpd_mtftp.c b/tftpd_mtftp.c
index d420d10..0032905 100644
--- a/tftpd_mtftp.c
+++ b/tftpd_mtftp.c
@@ -393,6 +393,11 @@ void *tftpd_mtftp_server(void *arg)
&data_size, data->data_buffer);
#ifdef HAVE_WRAP
+ if (!sockaddr_family_supported(&sa))
+ {
+ logger(LOG_ERR, "mtftp: Connection from unsupported network address family refused");
+ continue;
+ }
/* Verify the client has access. We don't look for the name but
rely only on the IP address for that. */
sockaddr_print_addr(&sa, addr_str, sizeof(addr_str));
--
2.28.0
View Git Blame Copy Permalink