From 5066e155bae5caa6d2105fcce546025d9aa9c266 Mon Sep 17 00:00:00 2001 From: tobias Date: Sat, 26 Jul 2014 07:48:49 +0000 Subject: [PATCH] Fix very hard to reach DoS attack vector, which would involve more than 8 billion network packets. Mixture of many many malformed and proper packets could result in a division by zero. ok krw@ --- usr.sbin/dhcpd/packet.c | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/usr.sbin/dhcpd/packet.c b/usr.sbin/dhcpd/packet.c index 30efac86779..24520fce8ec 100644 --- a/usr.sbin/dhcpd/packet.c +++ b/usr.sbin/dhcpd/packet.c @@ -1,4 +1,4 @@ -/* $OpenBSD: packet.c,v 1.6 2013/12/05 21:03:40 krw Exp $ */ +/* $OpenBSD: packet.c,v 1.7 2014/07/26 07:48:49 tobias Exp $ */ /* Packet assembly code, originally contributed by Archie Cobbs. */ @@ -180,7 +180,7 @@ decode_udp_ip_header(struct interface_info *interface, unsigned char *buf, ip_packets_seen++; if (wrapsum(checksum(buf + bufix, ip_len, 0)) != 0) { ip_packets_bad_checksum++; - if (ip_packets_seen > 4 && + if (ip_packets_seen > 4 && ip_packets_bad_checksum != 0 && (ip_packets_seen / ip_packets_bad_checksum) < 2) { note("%d bad IP checksums seen in %d packets", ip_packets_bad_checksum, ip_packets_seen); @@ -206,6 +206,7 @@ decode_udp_ip_header(struct interface_info *interface, unsigned char *buf, if ((len < 0) || (len + data > buf + bufix + buflen)) { udp_packets_length_overflow++; if (udp_packets_length_checked > 4 && + udp_packets_length_overflow != 0 && (udp_packets_length_checked / udp_packets_length_overflow) < 2) { note("%d udp packets in %d too long - dropped", @@ -230,7 +231,7 @@ decode_udp_ip_header(struct interface_info *interface, unsigned char *buf, udp_packets_seen++; if (usum && usum != sum) { udp_packets_bad_checksum++; - if (udp_packets_seen > 4 && + if (udp_packets_seen > 4 && udp_packets_bad_checksum != 0 && (udp_packets_seen / udp_packets_bad_checksum) < 2) { note("%d bad udp checksums in %d packets", udp_packets_bad_checksum, udp_packets_seen); -- 2.20.1