39 lines
1.5 KiB
Diff
39 lines
1.5 KiB
Diff
From 38e980a6a5a3442c2f48b1f827284388096d8ca5 Mon Sep 17 00:00:00 2001
|
|
From: Yu Watanabe <watanabe.yu+github@gmail.com>
|
|
Date: Thu, 24 Jun 2021 01:22:07 +0900
|
|
Subject: [PATCH] sd-dhcp-client: tentatively ignore FORCERENEW command
|
|
|
|
This makes DHCP client ignore FORCERENEW requests, as unauthenticated
|
|
FORCERENEW requests causes a security issue (TALOS-2020-1142, CVE-2020-13529).
|
|
|
|
Let's re-enable this after RFC3118 (Authentication for DHCP Messages)
|
|
and/or RFC6704 (Forcerenew Nonce Authentication) are implemented.
|
|
|
|
Fixes #16774.
|
|
---
|
|
src/libsystemd-network/sd-dhcp-client.c | 8 ++++++++
|
|
1 file changed, 8 insertions(+)
|
|
|
|
diff --git a/src/libsystemd-network/sd-dhcp-client.c b/src/libsystemd-network/sd-dhcp-client.c
|
|
index 67a5a03eba6a..dc8ff19d1a24 100644
|
|
--- a/src/libsystemd-network/sd-dhcp-client.c
|
|
+++ b/src/libsystemd-network/sd-dhcp-client.c
|
|
@@ -1380,9 +1380,17 @@ static int client_handle_forcerenew(sd_dhcp_client *client, DHCPMessage *force,
|
|
if (r != DHCP_FORCERENEW)
|
|
return -ENOMSG;
|
|
|
|
+#if 0
|
|
log_dhcp_client(client, "FORCERENEW");
|
|
|
|
return 0;
|
|
+#else
|
|
+ /* FIXME: Ignore FORCERENEW requests until we implement RFC3118 (Authentication for DHCP
|
|
+ * Messages) and/or RFC6704 (Forcerenew Nonce Authentication), as unauthenticated FORCERENEW
|
|
+ * requests causes a security issue (TALOS-2020-1142, CVE-2020-13529). */
|
|
+ log_dhcp_client(client, "Received FORCERENEW, ignoring.");
|
|
+ return -ENOMSG;
|
|
+#endif
|
|
}
|
|
|
|
static bool lease_equal(const sd_dhcp_lease *a, const sd_dhcp_lease *b) {
|