Home Explore Help
Register Sign In
PUBLIC_REPOS
/
buildroot
mirror of git://git.buildroot.net/buildroot
2
1
Fork 0
Files
Browse Source

package/atftp: add security fix for CVE-2020-6097

Fixed the following security issue:

- CVE-2020-6097: An exploitable denial of service vulnerability exists in
  the atftpd daemon functionality of atftp 0.7.git20120829-3.1+b1.  A
  specially crafted sequence of RRQ-Multicast requests trigger an assert()
  call resulting in denial-of-service.  An attacker can send a sequence of
  malicious packets to trigger this vulnerability.

For more details, see the report:
https://talosintelligence.com/vulnerability_reports/TALOS-2020-1029

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit 5b36e91fda95de313120ab530a07329a1c5d41db)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Peter Korsgaard 4 years ago
parent
5f273fa386
commit
2bce3c7b81
2 changed files with 107 additions and 0 deletions
Split View Show Diff Stats
  1. 104 0
      package/atftp/0004-Fix-for-DoS-issue-CVE-2020-6097.patch
  2. 3 0
      package/atftp/atftp.mk

+ 104 - 0
package/atftp/0004-Fix-for-DoS-issue-CVE-2020-6097.patch
View File 

@@ -0,0 +1,104 @@
 
+From 96409ef3b9ca061f9527cfaafa778105cf15d994 Mon Sep 17 00:00:00 2001
 
+From: Peter Kaestle <peter.kaestle@nokia.com>
 
+Date: Wed, 14 Oct 2020 14:02:41 +0200
 
+Subject: [PATCH] Fix for DoS issue CVE-2020-6097
 
+
 
+"sockaddr_print_addr" of tftpd can be triggered remotely to call
 
+assert(), which will crash the tftpd daemon.  See:
 
+https://talosintelligence.com/vulnerability_reports/TALOS-2020-1029
 
+
 
+"sockaddr_print_addr" originaly had two features:
 
+1) returning pointer to string of the incoming ip address
 
+2) checking whether ss_family of the connection is supported
 
+
 
+To fix the issue, a separate function "sockaddr_family_supported" is
 
+used to take care of 2) and "sockaddr_print_addr" returns an error
 
+message string for unsupported cases when using 1) insert of calling
 
+assert().
 
+
 
+[Upstream:
 
+ https://sourceforge.net/u/peterkaestle/atftp/ci/96409ef3b9ca061f9527cfaafa778105cf15d994/]
 
+Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
 
+---
 
+ tftp_def.c    | 11 ++++++++++-
 
+ tftp_def.h    |  1 +
 
+ tftpd.c       |  5 +++++
 
+ tftpd_mtftp.c |  5 +++++
 
+ 4 files changed, 21 insertions(+), 1 deletion(-)
 
+
 
+diff --git a/tftp_def.c b/tftp_def.c
 
+index d457c2a..428a930 100644
 
+--- a/tftp_def.c
 
++++ b/tftp_def.c
 
+@@ -180,6 +180,15 @@ int Gethostbyname(char *addr, struct hostent *host)
 
+      return OK;
 
+ }
 
+ 
++int
 
++sockaddr_family_supported(const struct sockaddr_storage *ss)
 
++{
 
++     if (ss->ss_family == AF_INET || ss->ss_family == AF_INET6)
 
++          return 1;
 
++     else
 
++          return 0;
 
++}
 
++
 
+ char *
 
+ sockaddr_print_addr(const struct sockaddr_storage *ss, char *buf, size_t len)
 
+ {
 
+@@ -189,7 +198,7 @@ sockaddr_print_addr(const struct sockaddr_storage *ss, char *buf, size_t len)
 
+      else if (ss->ss_family == AF_INET6)
 
+           addr = &((const struct sockaddr_in6 *)ss)->sin6_addr;
 
+      else
 
+-          assert(!"sockaddr_print: unsupported address family");
 
++          return "sockaddr_print: unsupported address family";
 
+      return (char *)inet_ntop(ss->ss_family, addr, buf, len);
 
+ }
 
+ 
+diff --git a/tftp_def.h b/tftp_def.h
 
+index 0841746..458e310 100644
 
+--- a/tftp_def.h
 
++++ b/tftp_def.h
 
+@@ -54,6 +54,7 @@ int print_eng(double value, char *string, int size, char *format);
 
+ inline char *Strncpy(char *to, const char *from, size_t size);
 
+ int Gethostbyname(char *addr, struct hostent *host);
 
+ 
++int sockaddr_family_supported(const struct sockaddr_storage *ss);
 
+ char *sockaddr_print_addr(const struct sockaddr_storage *, char *, size_t);
 
+ #define SOCKADDR_PRINT_ADDR_LEN INET6_ADDRSTRLEN
 
+ uint16_t sockaddr_get_port(const struct sockaddr_storage *);
 
+diff --git a/tftpd.c b/tftpd.c
 
+index 0b6f6a5..a7561a5 100644
 
+--- a/tftpd.c
 
++++ b/tftpd.c
 
+@@ -644,6 +644,11 @@ void *tftpd_receive_request(void *arg)
 
+      }
 
+ 
+ #ifdef HAVE_WRAP
 
++     if (!abort && !sockaddr_family_supported(&data->client_info->client))
 
++     {
 
++          logger(LOG_ERR, "Connection from unsupported network address family refused");
 
++          abort = 1;
 
++     }
 
+      if (!abort)
 
+      {
 
+           /* Verify the client has access. We don't look for the name but
 
+diff --git a/tftpd_mtftp.c b/tftpd_mtftp.c
 
+index d420d10..0032905 100644
 
+--- a/tftpd_mtftp.c
 
++++ b/tftpd_mtftp.c
 
+@@ -393,6 +393,11 @@ void *tftpd_mtftp_server(void *arg)
 
+                                         &data_size, data->data_buffer);
 
+ 
+ #ifdef HAVE_WRAP
 
++               if (!sockaddr_family_supported(&sa))
 
++               {
 
++                    logger(LOG_ERR, "mtftp: Connection from unsupported network address family refused");
 
++                    continue;
 
++               }
 
+                /* Verify the client has access. We don't look for the name but
 
+                   rely only on the IP address for that. */
 
+                sockaddr_print_addr(&sa, addr_str, sizeof(addr_str));
 
+-- 
+2.20.1
 
+

+ 3 - 0
package/atftp/atftp.mk
View File 

@@ -18,6 +18,9 @@ ATFTP_LIBS = -lpthread
 
 ATFTP_CONF_ENV = LIBS="$(ATFTP_LIBS)" \
 
 	CFLAGS="$(TARGET_CFLAGS) -fgnu89-inline"
 
 
+# 0004-Fix-for-DoS-issue-CVE-2020-6097.patch
 
+ATFTP_IGNORE_CVES += CVE-2020-6097
 
+
 
 ifeq ($(BR2_PACKAGE_READLINE),y)
 
 ATFTP_DEPENDENCIES += readline
 
 ATFTP_CONF_OPTS += --enable-libreadline