1
1
mirror of https://github.com/systemd/systemd-stable.git synced 2024-12-22 13:33:56 +03:00

sd-dhcp-client: tentatively ignore FORCERENEW command

This makes DHCP client ignore FORCERENEW requests, as unauthenticated
FORCERENEW requests causes a security issue (TALOS-2020-1142, CVE-2020-13529).

Let's re-enable this after RFC3118 (Authentication for DHCP Messages)
and/or RFC6704 (Forcerenew Nonce Authentication) are implemented.

Fixes #16774.
This commit is contained in:
Yu Watanabe 2021-06-24 01:22:07 +09:00
parent 551ad0b7de
commit 38e980a6a5

View File

@ -1587,9 +1587,17 @@ static int client_handle_forcerenew(sd_dhcp_client *client, DHCPMessage *force,
if (r != DHCP_FORCERENEW)
return -ENOMSG;
#if 0
log_dhcp_client(client, "FORCERENEW");
return 0;
#else
/* FIXME: Ignore FORCERENEW requests until we implement RFC3118 (Authentication for DHCP
* Messages) and/or RFC6704 (Forcerenew Nonce Authentication), as unauthenticated FORCERENEW
* requests causes a security issue (TALOS-2020-1142, CVE-2020-13529). */
log_dhcp_client(client, "Received FORCERENEW, ignoring.");
return -ENOMSG;
#endif
}
static bool lease_equal(const sd_dhcp_lease *a, const sd_dhcp_lease *b) {