summaryrefslogtreecommitdiffstats
path: root/sbin/dhclient-script
diff options
context:
space:
mode:
authorScott Ullrich <sullrich@pfsense.org>2011-04-07 16:11:45 -0400
committerScott Ullrich <sullrich@pfsense.org>2011-04-07 16:11:45 -0400
commit955f2d788edae3c65506ffa12de18e023fd95ae4 (patch)
tree436dc4897c907a41432776d56435d0f3eaa16503 /sbin/dhclient-script
parente05458b052275b5ae881098f15695eba830aae46 (diff)
downloadpfsense-955f2d788edae3c65506ffa12de18e023fd95ae4.zip
pfsense-955f2d788edae3c65506ffa12de18e023fd95ae4.tar.gz
Use some Seth egrep foo to protect from compromised DHCP servers. CVE-2011-0997
Diffstat (limited to 'sbin/dhclient-script')
-rwxr-xr-xsbin/dhclient-script7
1 files changed, 4 insertions, 3 deletions
diff --git a/sbin/dhclient-script b/sbin/dhclient-script
index e51132e..0f409a3 100755
--- a/sbin/dhclient-script
+++ b/sbin/dhclient-script
@@ -232,13 +232,14 @@ add_new_resolv_conf() {
if [ -n "$new_domain_name_servers" ]; then
/bin/rm -f /var/etc/nameserver_$interface
for nameserver in $new_domain_name_servers; do
+ nameserver_sanitized=`echo '$nameserver' | egrep -o '([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+|[0-9a-f]+:)'`
# Add a route to the nameserver out the correct interface
# so that mulitple wans work correctly with multiple dns
# also backup the nameserver for later route removal
- echo $nameserver >>/var/etc/nameserver_$interface
- $ROUTE add $nameserver -iface $interface
+ echo '$nameserver_sanitized' >>/var/etc/nameserver_$interface
+ $ROUTE add $nameserver_sanitized -iface $interface
done
- echo $new_domain_name >/var/etc/searchdomain_$interface
+ echo $new_domain_name | egrep -o "[0-9\.]+" >/var/etc/searchdomain_$interface
fi
return 0
OpenPOWER on IntegriCloud