Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[dhcp_relay] Check payload size to prevent buffer overflow in dhcpv6 option #9740

Merged
merged 10 commits into from
Jan 28, 2022
Merged

[dhcp_relay] Check payload size to prevent buffer overflow in dhcpv6 option #9740

merged 10 commits into from
Jan 28, 2022

Conversation

kellyyeh
Copy link
Contributor

@kellyyeh kellyyeh commented Jan 12, 2022
edited
Loading

Why I did it

When parsing through relay reply packets, parse_dhcpv6_option introduces vulnerability in buffer overflow, allowing up to 2 byte/65535 copied into a fixed buffer of size 4096.

How I did it

Add bound checks to before and after option parsing

How to verify it

Send a dummy packet with option length greater than 4096. dhcp6relay should not perform memcpy on invalid option length.

Which release branch to backport (provide reason below if selected)

  • 201811
  • 201911
  • 202006
  • 202012
  • 202106

Description for the changelog

A picture of a cute animal (not mandatory but encouraged)

@kellyyeh kellyyeh marked this pull request as ready for review January 12, 2022 23:27
@kellyyeh kellyyeh requested a review from lguohan as a code owner January 12, 2022 23:27
@kellyyeh kellyyeh requested a review from yxieca January 12, 2022 23:37
@kellyyeh kellyyeh requested a review from yxieca January 26, 2022 19:51
yxieca
yxieca previously approved these changes Jan 27, 2022
View reviewed changes
@yxieca yxieca self-requested a review January 27, 2022 02:41
yxieca
yxieca previously approved these changes Jan 27, 2022
View reviewed changes
@kellyyeh kellyyeh merged commit f998684 into sonic-net:master Jan 28, 2022
@kellyyeh kellyyeh deleted the dhcp6relay-bufferoverflow branch January 28, 2022 07:19
qiluo-msft pushed a commit that referenced this pull request Jan 31, 2022
@kellyyeh @qiluo-msft
[dhcp_relay] Check payload size to prevent buffer overflow in dhcpv6 …
67f718f 
…option (#9740)
@kellyyeh kellyyeh added Request for 202111 Branch For PRs being requested for 202111 branch Included in 201811 Branch labels Feb 16, 2022
judyjoseph pushed a commit that referenced this pull request Feb 22, 2022
@kellyyeh @judyjoseph
[dhcp_relay] Check payload size to prevent buffer overflow in dhcpv6 …
a0bb7a0 
…option (#9740)
kellyyeh added a commit to kellyyeh/sonic-buildimage that referenced this pull request Mar 16, 2022
@kellyyeh
[dhcp_relay] Check payload size to prevent buffer overflow in dhcpv6 …
26fd189 
…option (sonic-net#9740)
@kellyyeh kellyyeh mentioned this pull request Mar 16, 2022
Merged
5 tasks
kellyyeh added a commit that referenced this pull request Mar 17, 2022
@kellyyeh
[dhcp_relay] Check payload size to prevent buffer overflow in dhcpv6 …
beea989 
…option (#9740) (#10252)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@yxieca yxieca yxieca approved these changes

@lguohan lguohan Awaiting requested review from lguohan

Assignees
No one assigned
Labels
Included in 201811 Branch Included in 202012 Branch Included in 202111 Branch Request for 201811 Branch :shipit: Request for 202012 Branch Request for 202111 Branch For PRs being requested for 202111 branch
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@kellyyeh @yxieca @qiluo-msft @judyjoseph