package/atftp: add security fix for CVE-2020-6097
Fixed the following security issue: - CVE-2020-6097: An exploitable denial of service vulnerability exists in the atftpd daemon functionality of atftp 0.7.git20120829-3.1+b1. A specially crafted sequence of RRQ-Multicast requests trigger an assert() call resulting in denial-of-service. An attacker can send a sequence of malicious packets to trigger this vulnerability. For more details, see the report: https://talosintelligence.com/vulnerability_reports/TALOS-2020-1029 Signed-off-by: Peter Korsgaard <peter@korsgaard.com> Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
This commit is contained in:
Peter Korsgaard
Yann E. MORIN
parent
b5aab68465
commit
5b36e91fda
104
package/atftp/0004-Fix-for-DoS-issue-CVE-2020-6097.patch
Normal file
104
package/atftp/0004-Fix-for-DoS-issue-CVE-2020-6097.patch
Normal file
|
|
@ -0,0 +1,104 @@
|
|||
From 96409ef3b9ca061f9527cfaafa778105cf15d994 Mon Sep 17 00:00:00 2001
|
||||
From: Peter Kaestle <peter.kaestle@nokia.com>
|
||||
Date: Wed, 14 Oct 2020 14:02:41 +0200
|
||||
Subject: [PATCH] Fix for DoS issue CVE-2020-6097
|
||||
|
||||
"sockaddr_print_addr" of tftpd can be triggered remotely to call
|
||||
assert(), which will crash the tftpd daemon. See:
|
||||
https://talosintelligence.com/vulnerability_reports/TALOS-2020-1029
|
||||
|
||||
"sockaddr_print_addr" originaly had two features:
|
||||
1) returning pointer to string of the incoming ip address
|
||||
2) checking whether ss_family of the connection is supported
|
||||
|
||||
To fix the issue, a separate function "sockaddr_family_supported" is
|
||||
used to take care of 2) and "sockaddr_print_addr" returns an error
|
||||
message string for unsupported cases when using 1) insert of calling
|
||||
assert().
|
||||
|
||||
[Upstream:
|
||||
https://sourceforge.net/u/peterkaestle/atftp/ci/96409ef3b9ca061f9527cfaafa778105cf15d994/]
|
||||
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
|
||||
---
|
||||
tftp_def.c | 11 ++++++++++-
|
||||
tftp_def.h | 1 +
|
||||
tftpd.c | 5 +++++
|
||||
tftpd_mtftp.c | 5 +++++
|
||||
4 files changed, 21 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/tftp_def.c b/tftp_def.c
|
||||
index d457c2a..428a930 100644
|
||||
--- a/tftp_def.c
|
||||
+++ b/tftp_def.c
|
||||
@@ -180,6 +180,15 @@ int Gethostbyname(char *addr, struct hostent *host)
|
||||
return OK;
|
||||
}
|
||||
|
||||
+int
|
||||
+sockaddr_family_supported(const struct sockaddr_storage *ss)
|
||||
+{
|
||||
+ if (ss->ss_family == AF_INET || ss->ss_family == AF_INET6)
|
||||
+ return 1;
|
||||
+ else
|
||||
+ return 0;
|
||||
+}
|
||||
+
|
||||
char *
|
||||
sockaddr_print_addr(const struct sockaddr_storage *ss, char *buf, size_t len)
|
||||
{
|
||||
@@ -189,7 +198,7 @@ sockaddr_print_addr(const struct sockaddr_storage *ss, char *buf, size_t len)
|
||||
else if (ss->ss_family == AF_INET6)
|
||||
addr = &((const struct sockaddr_in6 *)ss)->sin6_addr;
|
||||
else
|
||||
- assert(!"sockaddr_print: unsupported address family");
|
||||
+ return "sockaddr_print: unsupported address family";
|
||||
return (char *)inet_ntop(ss->ss_family, addr, buf, len);
|
||||
}
|
||||
|
||||
diff --git a/tftp_def.h b/tftp_def.h
|
||||
index 0841746..458e310 100644
|
||||
--- a/tftp_def.h
|
||||
+++ b/tftp_def.h
|
||||
@@ -54,6 +54,7 @@ int print_eng(double value, char *string, int size, char *format);
|
||||
inline char *Strncpy(char *to, const char *from, size_t size);
|
||||
int Gethostbyname(char *addr, struct hostent *host);
|
||||
|
||||
+int sockaddr_family_supported(const struct sockaddr_storage *ss);
|
||||
char *sockaddr_print_addr(const struct sockaddr_storage *, char *, size_t);
|
||||
#define SOCKADDR_PRINT_ADDR_LEN INET6_ADDRSTRLEN
|
||||
uint16_t sockaddr_get_port(const struct sockaddr_storage *);
|
||||
diff --git a/tftpd.c b/tftpd.c
|
||||
index 0b6f6a5..a7561a5 100644
|
||||
--- a/tftpd.c
|
||||
+++ b/tftpd.c
|
||||
@@ -644,6 +644,11 @@ void *tftpd_receive_request(void *arg)
|
||||
}
|
||||
|
||||
#ifdef HAVE_WRAP
|
||||
+ if (!abort && !sockaddr_family_supported(&data->client_info->client))
|
||||
+ {
|
||||
+ logger(LOG_ERR, "Connection from unsupported network address family refused");
|
||||
+ abort = 1;
|
||||
+ }
|
||||
if (!abort)
|
||||
{
|
||||
/* Verify the client has access. We don't look for the name but
|
||||
diff --git a/tftpd_mtftp.c b/tftpd_mtftp.c
|
||||
index d420d10..0032905 100644
|
||||
--- a/tftpd_mtftp.c
|
||||
+++ b/tftpd_mtftp.c
|
||||
@@ -393,6 +393,11 @@ void *tftpd_mtftp_server(void *arg)
|
||||
&data_size, data->data_buffer);
|
||||
|
||||
#ifdef HAVE_WRAP
|
||||
+ if (!sockaddr_family_supported(&sa))
|
||||
+ {
|
||||
+ logger(LOG_ERR, "mtftp: Connection from unsupported network address family refused");
|
||||
+ continue;
|
||||
+ }
|
||||
/* Verify the client has access. We don't look for the name but
|
||||
rely only on the IP address for that. */
|
||||
sockaddr_print_addr(&sa, addr_str, sizeof(addr_str));
|
||||
--
|
||||
2.20.1
|
||||
|
||||
|
|
@ -18,6 +18,9 @@ ATFTP_LIBS = -lpthread
|
|||
ATFTP_CONF_ENV = LIBS="$(ATFTP_LIBS)" \
|
||||
CFLAGS="$(TARGET_CFLAGS) -fgnu89-inline"
|
||||
|
||||
# 0004-Fix-for-DoS-issue-CVE-2020-6097.patch
|
||||
ATFTP_IGNORE_CVES += CVE-2020-6097
|
||||
|
||||
ifeq ($(BR2_PACKAGE_READLINE),y)
|
||||
ATFTP_DEPENDENCIES += readline
|
||||
ATFTP_CONF_OPTS += --enable-libreadline
|
||||
|
|
|
|||
Loading…
Reference in a new issue