DHCP: Ensure dhcp is running on the interface received from
BSD: Link handling has been simplified, however it is expected
that if an interface supports SIOCGIFMEDIA then it reports
the correct link status via route(4) for reliable operations
BPF: ARP filter is more robust
BSD and sun: Validate RTM message lengths
DHCPv6 (security): Fix a potential read overflow with D6_OPTION_PD_EXCLUDE
* auth: Use consttime_memequal to avoid latency attack
consttime_memequal is supplied if libc does not support it
dhcpcd >=6.2 <7.2.1 are vulnerable
* DHCP: Fix a potential 1 byte read overflow with DHO_OPTSOVERLOADED
dhcpcd >=4 <7.2.1 are vulnerable
* DHCPv6: Fix a potential buffer overflow reading NA/TA addresses
dhcpcd >=7 <7.2.1 are vulnerable
was a request to upstream for this so that slaacd could handle the address
and dhcpcd handle rdnss (though TBH I'd just use dhcpcd for everything in
that case).
other fixes);
dhcpcd-7.0.0, 7.0.1 and 7.0.2 are vulnerable to the DHCP6 issue where the
message is copied from the DHCP6 option into a buffer, but is NULL terminated
beyond the size of the buffer.
dhcpcd-6 is not vulnerable.
earlier feedback from naddy, and a reminder about rtsol from Ross L Richardson.
- convert some description into comments in the sample config
- disable all hooks in DHCPv6-PD sample by overriding "script", they're
often not needed in this situation (and disabling hooks individually with
nohook leaves you open to the potential for new ones being added later)
- rtsol -> "inet6 autoconf"
http://roy.marples.name/projects/dhcpcd/info/595883e2a431f65d
- Ensure that option length fits inside data length less option size.
(can lead to an invalid read/crash via malformed dhcp responses)
http://roy.marples.name/projects/dhcpcd/info/76a1609352263bd9
- dhcp_optlen now returns the length of the data we can sanely work
on given the option definition and data length. Call dhcp_optlen in
dhcp_envoption1 to take into ensure these bounds are not overstepped.
Fixes an issue reported by Nico Golde where extra undersized data was
present in the option. An example of this would be an array of uint16's
with a trailing byte.
(reporter says "exploitation is non-trivial, but i'd love to be
proven wrong.")
