[Buildroot] [PATCH] package/atftp: add security fix for CVE-2020-6097

Yann E. MORIN yann.morin.1998 at free.fr
Fri Feb 5 12:49:05 UTC 2021


Peter, All,

On 2021-02-05 10:01 +0100, Peter Korsgaard spake thusly:
> Fixed the following security issue:
> 
> - CVE-2020-6097: An exploitable denial of service vulnerability exists in
>   the atftpd daemon functionality of atftp 0.7.git20120829-3.1+b1.  A
>   specially crafted sequence of RRQ-Multicast requests trigger an assert()
>   call resulting in denial-of-service.  An attacker can send a sequence of
>   malicious packets to trigger this vulnerability.
> 
> For more details, see the report:
> https://talosintelligence.com/vulnerability_reports/TALOS-2020-1029
> 
> Signed-off-by: Peter Korsgaard <peter at korsgaard.com>

Applied to master, thanks.

Regards,
Yann E. MORIN.

> ---
>  ...0004-Fix-for-DoS-issue-CVE-2020-6097.patch | 104 ++++++++++++++++++
>  package/atftp/atftp.mk                        |   3 +
>  2 files changed, 107 insertions(+)
>  create mode 100644 package/atftp/0004-Fix-for-DoS-issue-CVE-2020-6097.patch
> 
> diff --git a/package/atftp/0004-Fix-for-DoS-issue-CVE-2020-6097.patch b/package/atftp/0004-Fix-for-DoS-issue-CVE-2020-6097.patch
> new file mode 100644
> index 0000000000..fe59325e57
> --- /dev/null
> +++ b/package/atftp/0004-Fix-for-DoS-issue-CVE-2020-6097.patch
> @@ -0,0 +1,104 @@
> +From 96409ef3b9ca061f9527cfaafa778105cf15d994 Mon Sep 17 00:00:00 2001
> +From: Peter Kaestle <peter.kaestle at nokia.com>
> +Date: Wed, 14 Oct 2020 14:02:41 +0200
> +Subject: [PATCH] Fix for DoS issue CVE-2020-6097
> +
> +"sockaddr_print_addr" of tftpd can be triggered remotely to call
> +assert(), which will crash the tftpd daemon.  See:
> +https://talosintelligence.com/vulnerability_reports/TALOS-2020-1029
> +
> +"sockaddr_print_addr" originaly had two features:
> +1) returning pointer to string of the incoming ip address
> +2) checking whether ss_family of the connection is supported
> +
> +To fix the issue, a separate function "sockaddr_family_supported" is
> +used to take care of 2) and "sockaddr_print_addr" returns an error
> +message string for unsupported cases when using 1) insert of calling
> +assert().
> +
> +[Upstream:
> + https://sourceforge.net/u/peterkaestle/atftp/ci/96409ef3b9ca061f9527cfaafa778105cf15d994/]
> +Signed-off-by: Peter Korsgaard <peter at korsgaard.com>
> +---
> + tftp_def.c    | 11 ++++++++++-
> + tftp_def.h    |  1 +
> + tftpd.c       |  5 +++++
> + tftpd_mtftp.c |  5 +++++
> + 4 files changed, 21 insertions(+), 1 deletion(-)
> +
> +diff --git a/tftp_def.c b/tftp_def.c
> +index d457c2a..428a930 100644
> +--- a/tftp_def.c
> ++++ b/tftp_def.c
> +@@ -180,6 +180,15 @@ int Gethostbyname(char *addr, struct hostent *host)
> +      return OK;
> + }
> + 
> ++int
> ++sockaddr_family_supported(const struct sockaddr_storage *ss)
> ++{
> ++     if (ss->ss_family == AF_INET || ss->ss_family == AF_INET6)
> ++          return 1;
> ++     else
> ++          return 0;
> ++}
> ++
> + char *
> + sockaddr_print_addr(const struct sockaddr_storage *ss, char *buf, size_t len)
> + {
> +@@ -189,7 +198,7 @@ sockaddr_print_addr(const struct sockaddr_storage *ss, char *buf, size_t len)
> +      else if (ss->ss_family == AF_INET6)
> +           addr = &((const struct sockaddr_in6 *)ss)->sin6_addr;
> +      else
> +-          assert(!"sockaddr_print: unsupported address family");
> ++          return "sockaddr_print: unsupported address family";
> +      return (char *)inet_ntop(ss->ss_family, addr, buf, len);
> + }
> + 
> +diff --git a/tftp_def.h b/tftp_def.h
> +index 0841746..458e310 100644
> +--- a/tftp_def.h
> ++++ b/tftp_def.h
> +@@ -54,6 +54,7 @@ int print_eng(double value, char *string, int size, char *format);
> + inline char *Strncpy(char *to, const char *from, size_t size);
> + int Gethostbyname(char *addr, struct hostent *host);
> + 
> ++int sockaddr_family_supported(const struct sockaddr_storage *ss);
> + char *sockaddr_print_addr(const struct sockaddr_storage *, char *, size_t);
> + #define SOCKADDR_PRINT_ADDR_LEN INET6_ADDRSTRLEN
> + uint16_t sockaddr_get_port(const struct sockaddr_storage *);
> +diff --git a/tftpd.c b/tftpd.c
> +index 0b6f6a5..a7561a5 100644
> +--- a/tftpd.c
> ++++ b/tftpd.c
> +@@ -644,6 +644,11 @@ void *tftpd_receive_request(void *arg)
> +      }
> + 
> + #ifdef HAVE_WRAP
> ++     if (!abort && !sockaddr_family_supported(&data->client_info->client))
> ++     {
> ++          logger(LOG_ERR, "Connection from unsupported network address family refused");
> ++          abort = 1;
> ++     }
> +      if (!abort)
> +      {
> +           /* Verify the client has access. We don't look for the name but
> +diff --git a/tftpd_mtftp.c b/tftpd_mtftp.c
> +index d420d10..0032905 100644
> +--- a/tftpd_mtftp.c
> ++++ b/tftpd_mtftp.c
> +@@ -393,6 +393,11 @@ void *tftpd_mtftp_server(void *arg)
> +                                         &data_size, data->data_buffer);
> + 
> + #ifdef HAVE_WRAP
> ++               if (!sockaddr_family_supported(&sa))
> ++               {
> ++                    logger(LOG_ERR, "mtftp: Connection from unsupported network address family refused");
> ++                    continue;
> ++               }
> +                /* Verify the client has access. We don't look for the name but
> +                   rely only on the IP address for that. */
> +                sockaddr_print_addr(&sa, addr_str, sizeof(addr_str));
> +-- 
> +2.20.1
> +
> diff --git a/package/atftp/atftp.mk b/package/atftp/atftp.mk
> index cbe05ba7e0..a4b461fda5 100644
> --- a/package/atftp/atftp.mk
> +++ b/package/atftp/atftp.mk
> @@ -18,6 +18,9 @@ ATFTP_LIBS = -lpthread
>  ATFTP_CONF_ENV = LIBS="$(ATFTP_LIBS)" \
>  	CFLAGS="$(TARGET_CFLAGS) -fgnu89-inline"
>  
> +# 0004-Fix-for-DoS-issue-CVE-2020-6097.patch
> +ATFTP_IGNORE_CVES += CVE-2020-6097
> +
>  ifeq ($(BR2_PACKAGE_READLINE),y)
>  ATFTP_DEPENDENCIES += readline
>  ATFTP_CONF_OPTS += --enable-libreadline
> -- 
> 2.20.1
> 
> _______________________________________________
> buildroot mailing list
> buildroot at busybox.net
> http://lists.busybox.net/mailman/listinfo/buildroot

-- 
.-----------------.--------------------.------------------.--------------------.
|  Yann E. MORIN  | Real-Time Embedded | /"\ ASCII RIBBON | Erics' conspiracy: |
| +33 662 376 056 | Software  Designer | \ / CAMPAIGN     |  ___               |
| +33 561 099 427 `------------.-------:  X  AGAINST      |  \e/  There is no  |
| http://ymorin.is-a-geek.org/ | _/*\_ | / \ HTML MAIL    |   v   conspiracy.  |
'------------------------------^-------^------------------^--------------------'


More information about the buildroot mailing list