Summary:
Malicious DHCP clients on the local network could cause dhcpd(8)
to corrupt its stack.
Impact:
A DHCP client with a carefully chosen maximum message size that
is less than the minimum IP MTU could lead to a buffer overflow
in dhcpd(8). This could cause dhcpd(8) to crash or could
potentially result in remote code execution.
Workaround:
Disable dhcpd if it is enabled. Note that OpenBSD does not
ship with dhcpd(8) enabled by default.
Fix:
A fix has been committed to OpenBSD-current. Patches are
available for OpenBSD 4.2, 4.1 and 4.0.
ftp://ftp.openbsd.org/pub/OpenBSD/patches/4.2/common/001_dhcpd.patch
ftp://ftp.openbsd.org/pub/OpenBSD/patches/4.1/common/010_dhcpd.patch
ftp://ftp.openbsd.org/pub/OpenBSD/patches/4.0/common/016_dhcpd.patch
Credits:
The bug was found by Nahuel Riva and Gerardo Richarte of Core
Security Technologies
