From: David Gibson <david@gibson.dropbear.id.au>
To: Stefano Brivio <sbrivio@redhat.com>
Cc: passt-dev@passt.top
Subject: Re: [PATCH 2/4] dhcp: Make option parsing more robust, explicitly handle options 0 and 255
Date: Thu, 16 Jul 2026 15:37:13 +1000 [thread overview]
Message-ID: <alhuADvrv2QedEt4@zatzit> (raw)
In-Reply-To: <20260715232523.3372714-3-sbrivio@redhat.com>
[-- Attachment #1: Type: text/plain, Size: 3586 bytes --]
On Thu, Jul 16, 2026 at 01:25:21AM +0200, Stefano Brivio wrote:
> The initial option-scanning loop in dhcp(), so far, ignored options 0
> (Pad Option, RFC 2132, Section 3.1) and 255 (End Option, RFC 2132,
> Section 3.2).
>
> As a result:
>
> - if we ever encountered option 0 in the middle of option fields
> (never seen in practice), we would potentially terminate the loop
> too early, before scanning remaining options
>
> - a malformed message with an option 255 followed by a length byte
> would (reliably) cause us to terminate as we would exceed the
> allocated size for the 'opts' array, which is detected as buffer
> overflow by the FORTIFY_SOURCE mechanism
>
> The latter was reported as potential vulnerability by AISLE, but it's
> not actually a vulnerability as we always terminate without carrying
> on further handling, and in our security model the guest is able to
> sabotage its own connectivity in any case (for example, a malformed
> frame from the hypervisor would cause us to reset the connection, or
> entirely flooding the flow table would cause inbound connectivity to
> stop working, etc.).
>
> The reported behaviour, however, is indeed a defect, as it affects
> the functional robustness to a hypothetical issue in a DHCP client,
> and that's something we definitely want to fix.
>
> Make the option parsing loop more robust by:
>
> - resizing 'opts' from 255 to 256 elements: there's no particular
> reason to try to save a tiny bit of memory (which shouldn't even
> be allocated in practice) instead of being defensive about it
>
> - explicitly handle options 0 (skip one byte, continue) and 255 (stop
> processing options) in the option-scanning loop
>
> This bug was found and an initial version of the patch was written by
> the AISLE AI security scanning tool (https://aisle.com/platform).
>
> Reported-by: AISLE
> Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
> ---
> dhcp.c | 10 +++++++++-
> 1 file changed, 9 insertions(+), 1 deletion(-)
>
> diff --git a/dhcp.c b/dhcp.c
> index 1ff8cba..632019a 100644
> --- a/dhcp.c
> +++ b/dhcp.c
> @@ -49,7 +49,7 @@ struct opt {
> uint8_t c[255];
> };
>
> -static struct opt opts[255];
> +static struct opt opts[256];
>
> #define DHCPDISCOVER 1
> #define DHCPOFFER 2
> @@ -374,6 +374,14 @@ int dhcp(const struct ctx *c, struct iov_tail *data)
> if (!type || !olen)
> return -1;
>
> + if (*type == 255)
> + break;
> +
> + if (*type == 0) { /* Pad Option (RFC 2132, 3.1): one byte */
> + opt_len--;
> + continue;
> + }
> +
I don't think this is quite right: at this point we've already
stripped off the non-existent length-byte with IOV_REMOVE_HEADER,
meaning opt_len will get out of sync with iov_tail_size(data).
I think we instead need to check for the 1-byte option cases between
the two IOV_REMOVE_HEADER() calls. And.. since presumably the options
could theoretically end with some padding options, we probably want
the loop to be while (opt_len >= 1) instead of 2. In fact the way we
mix recalculating opt_len from iov_tail_size() with sometimes directly
updating it is pretty nasty. We might be better off with
while ((opt_len = iov_tail_size(data)))
> opt_len = iov_tail_size(data);
> if (opt_len < *olen)
> return -1;
> --
> 2.43.0
>
--
David Gibson (he or they) | I'll have my music baroque, and my code
david AT gibson.dropbear.id.au | minimalist, thank you, not the other way
| around.
http://www.ozlabs.org/~dgibson
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]
next prev parent reply other threads:[~2026-07-16 5:45 UTC|newest]
Thread overview: 12+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-07-15 23:25 [PATCH 0/4] Assorted fixes, address a static checker warning Stefano Brivio
2026-07-15 23:25 ` [PATCH 1/4] CONTRIBUTING.md: The tag is "Link:", regardless of how many we have Stefano Brivio
2026-07-16 5:26 ` David Gibson
2026-07-15 23:25 ` [PATCH 2/4] dhcp: Make option parsing more robust, explicitly handle options 0 and 255 Stefano Brivio
2026-07-16 5:37 ` David Gibson [this message]
2026-07-16 7:22 ` Stefano Brivio
2026-07-15 23:25 ` [PATCH 3/4] passt.1, pesto.1: ::1 is an address, not a port Stefano Brivio
2026-07-16 5:38 ` David Gibson
2026-07-15 23:25 ` [PATCH 4/4] ndp: Use high quality entropy in NDP timer even if not needed Stefano Brivio
2026-07-16 5:45 ` David Gibson
2026-07-16 7:22 ` Stefano Brivio
2026-07-16 7:38 ` David Gibson
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=alhuADvrv2QedEt4@zatzit \
--to=david@gibson.dropbear.id.au \
--cc=passt-dev@passt.top \
--cc=sbrivio@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://passt.top/passt
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for IMAP folder(s).