diff options
author | Thomas Markwalder <tmark@isc.org> | 2018-02-16 13:08:23 -0500 |
---|---|---|
committer | Thomas Markwalder <tmark@isc.org> | 2018-02-16 13:08:23 -0500 |
commit | 9216b13a41888fb50f35a337cd19536c7cecb4b0 (patch) | |
tree | d9d6329781fb712cc977332dd8e24c390892b400 | |
parent | 05e9a6ce1a3513cead961214d739558819b4c693 (diff) | |
download | isc-dhcp-9216b13a41888fb50f35a337cd19536c7cecb4b0.tar.gz |
[v4_1_esv_r15_pl] Added unit tests for CVE patches
common/tests/Makefile.am
common/tests/option_unittest.c
-rw-r--r-- | RELNOTES | 2 | ||||
-rw-r--r-- | common/tests/Makefile.am | 7 | ||||
-rw-r--r-- | common/tests/option_unittest.c | 142 |
3 files changed, 149 insertions, 2 deletions
@@ -78,7 +78,7 @@ dhcp-users@lists.isc.org. when parsing buffer for options. Reported by Felix Wilhelm, Google Security Team. [ISC-Bugs #47140] - CVE: CVE-2018-xxxx + CVE: CVE-2018-5733 ! Corrected an issue where large sized 'X/x' format options were causing option handling logic to overwrite memory when expanding them to human diff --git a/common/tests/Makefile.am b/common/tests/Makefile.am index 107a9295..cc8f42f5 100644 --- a/common/tests/Makefile.am +++ b/common/tests/Makefile.am @@ -8,7 +8,7 @@ ATF_TESTS = if HAVE_ATF -ATF_TESTS += alloc_unittest ns_name_unittest +ATF_TESTS += alloc_unittest ns_name_unittest option_unittest alloc_unittest_SOURCES = test_alloc.c $(top_srcdir)/tests/t_api_dhcp.c alloc_unittest_LDADD = $(ATF_LDFLAGS) @@ -20,6 +20,11 @@ ns_name_unittest_LDADD = $(ATF_LDFLAGS) ns_name_unittest_LDADD += ../libdhcp.a \ ../../omapip/libomapi.a ../../dst/libdst.a ../../minires/libres.a +option_unittest_SOURCES = option_unittest.c $(top_srcdir)/tests/t_api_dhcp.c +option_unittest_LDADD = $(ATF_LDFLAGS) +option_unittest_LDADD += ../libdhcp.a \ + ../../omapip/libomapi.a ../../dst/libdst.a ../../minires/libres.a + check: $(ATF_TESTS) sh ${top_srcdir}/tests/unittest.sh diff --git a/common/tests/option_unittest.c b/common/tests/option_unittest.c new file mode 100644 index 00000000..cd52cfb4 --- /dev/null +++ b/common/tests/option_unittest.c @@ -0,0 +1,142 @@ +/* + * Copyright (C) 2018 Internet Systems Consortium, Inc. ("ISC") + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. + * + * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH + * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY + * AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, + * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM + * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE + * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR + * PERFORMANCE OF THIS SOFTWARE. + */ + +#include <config.h> +#include <atf-c.h> +#include "dhcpd.h" + +ATF_TC(option_refcnt); + +ATF_TC_HEAD(option_refcnt, tc) +{ + atf_tc_set_md_var(tc, "descr", + "Verify option reference count does not overflow."); +} + +/* This test does a simple check to see if option reference count is + * decremented even an error path exiting parse_option_buffer() + */ +ATF_TC_BODY(option_refcnt, tc) +{ + struct option_state *options; + struct option *option; + unsigned code; + int refcnt; + unsigned char buffer[3] = { 15, 255, 0 }; + + initialize_common_option_spaces(); + + options = NULL; + if (!option_state_allocate(&options, MDL)) { + atf_tc_fail("can't allocate option state"); + } + + option = NULL; + code = 15; /* domain-name */ + if (!option_code_hash_lookup(&option, dhcp_universe.code_hash, + &code, 0, MDL)) { + atf_tc_fail("can't find option 15"); + } + if (option == NULL) { + atf_tc_fail("option is NULL"); + } + refcnt = option->refcnt; + + buffer[0] = 15; + buffer[1] = 255; /* invalid */ + buffer[2] = 0; + + if (parse_option_buffer(options, buffer, 3, &dhcp_universe)) { + atf_tc_fail("parse_option_buffer is expected to fail"); + } + + if (refcnt != option->refcnt) { + atf_tc_fail("refcnt changed from %d to %d", refcnt, option->refcnt); + } +} + +ATF_TC(pretty_print_option); + +ATF_TC_HEAD(pretty_print_option, tc) +{ + atf_tc_set_md_var(tc, "descr", + "Verify pretty_print_option does not overrun its buffer."); +} + + +/* + * This test verifies that pretty_print_option() will not overrun its + * internal, static buffer when given large 'x/X' format options. + * + */ +ATF_TC_BODY(pretty_print_option, tc) +{ + struct option *option; + unsigned code; + unsigned char bad_data[32*1024]; + unsigned char good_data[] = { 1,2,3,4,5,6 }; + int emit_commas = 1; + int emit_quotes = 1; + const char *output_buf; + + /* Initialize whole thing to non-printable chars */ + memset(bad_data, 0x1f, sizeof(bad_data)); + + initialize_common_option_spaces(); + + /* We'll use dhcp_client_identitifer because it happens to be format X */ + code = 61; + option = NULL; + if (!option_code_hash_lookup(&option, dhcp_universe.code_hash, + &code, 0, MDL)) { + atf_tc_fail("can't find option %d", code); + } + + if (option == NULL) { + atf_tc_fail("option is NULL"); + } + + /* First we will try a good value we know should fit. */ + output_buf = pretty_print_option (option, good_data, sizeof(good_data), + emit_commas, emit_quotes); + + /* Make sure we get what we expect */ + if (!output_buf || strcmp(output_buf, "1:2:3:4:5:6")) { + atf_tc_fail("pretty_print_option did not return \"<error>\""); + } + + + /* Now we'll try a data value that's too large */ + output_buf = pretty_print_option (option, bad_data, sizeof(bad_data), + emit_commas, emit_quotes); + + /* Make sure we safely get an error */ + if (!output_buf || strcmp(output_buf, "<error>")) { + atf_tc_fail("pretty_print_option did not return \"<error>\""); + } +} + + +/* This macro defines main() method that will call specified + test cases. tp and simple_test_case names can be whatever you want + as long as it is a valid variable identifier. */ +ATF_TP_ADD_TCS(tp) +{ + ATF_TP_ADD_TC(tp, option_refcnt); + ATF_TP_ADD_TC(tp, pretty_print_option); + + return (atf_no_error()); +} |