diff options
| author | Yu Watanabe <watanabe.yu+github@gmail.com> | 2021-06-24 01:22:07 +0900 |
|---|---|---|
| committer | Yu Watanabe <watanabe.yu+github@gmail.com> | 2021-06-24 11:25:26 +0900 |
| commit | 38e980a6a5a3442c2f48b1f827284388096d8ca5 (patch) | |
| tree | 5299eba20a410611ae845f905bd661f816f8d3e2 /src/libsystemd-network/sd-dhcp-client.c | |
| parent | 551ad0b7de9ebc3a5fb1d84a06e21fc0c0ca3017 (diff) | |
| download | systemd-38e980a6a5a3442c2f48b1f827284388096d8ca5.tar.gz | |
sd-dhcp-client: tentatively ignore FORCERENEW command
This makes DHCP client ignore FORCERENEW requests, as unauthenticated
FORCERENEW requests causes a security issue (TALOS-2020-1142, CVE-2020-13529).
Let's re-enable this after RFC3118 (Authentication for DHCP Messages)
and/or RFC6704 (Forcerenew Nonce Authentication) are implemented.
Fixes #16774.
Diffstat (limited to 'src/libsystemd-network/sd-dhcp-client.c')
| -rw-r--r-- | src/libsystemd-network/sd-dhcp-client.c | 8 |
1 files changed, 8 insertions, 0 deletions
diff --git a/src/libsystemd-network/sd-dhcp-client.c b/src/libsystemd-network/sd-dhcp-client.c index 67a5a03eba..dc8ff19d1a 100644 --- a/src/libsystemd-network/sd-dhcp-client.c +++ b/src/libsystemd-network/sd-dhcp-client.c @@ -1587,9 +1587,17 @@ static int client_handle_forcerenew(sd_dhcp_client *client, DHCPMessage *force, if (r != DHCP_FORCERENEW) return -ENOMSG; +#if 0 log_dhcp_client(client, "FORCERENEW"); return 0; +#else + /* FIXME: Ignore FORCERENEW requests until we implement RFC3118 (Authentication for DHCP + * Messages) and/or RFC6704 (Forcerenew Nonce Authentication), as unauthenticated FORCERENEW + * requests causes a security issue (TALOS-2020-1142, CVE-2020-13529). */ + log_dhcp_client(client, "Received FORCERENEW, ignoring."); + return -ENOMSG; +#endif } static bool lease_equal(const sd_dhcp_lease *a, const sd_dhcp_lease *b) { |