When attempting to convert a DUID from a client id option

into a hardware address handle unexpected client ids properly.
Thanks to Markus Hietava of Codenomicon CROSS project for the
finding this issue and CERT-FI for vulnerability coordination.
[ISC-Bugs #29852]
CVE: CVE-2012-3570

diff --git a/RELNOTES b/RELNOTES
index 85ed82c683d256755204c9c718b27f380ff32e51..53cddaffe15fa22b11287ac67cd6207c52a84580 100644 (file)
--- a/RELNOTES
+++ b/RELNOTES
@@ -90,6 +90,13 @@ work on other platforms. Please report any problems and suggested fixes to
   [ISC-Bugs #29851]
   CVE: CVE-2012-3571
 
+! When attempting to convert a DUID from a client id option
+  into a hardware address handle unexpected client ids properly.
+  Thanks to Markus Hietava of Codenomicon CROSS project for the
+  finding this issue and CERT-FI for vulnerability coordination. 
+  [ISC-Bugs #29852]
+  CVE: CVE-2012-3570
+
                        Changes since 4.2.3
 
 ! Add a check for a null pointer before calling the regexec function.

diff --git a/includes/dhcpd.h b/includes/dhcpd.h
index 6aaa6ed0b3aacc112044e5eb44d0bf12b53548c0..b8792fae2a150fd920a8c4c96a3657d1d77233ba 100644 (file)
--- a/includes/dhcpd.h
+++ b/includes/dhcpd.h
@@ -432,11 +432,17 @@ struct packet {
        isc_boolean_t unicast;
 };
 
-/* A network interface's MAC address. */
+/*
+ * A network interface's MAC address.
+ * 20 bytes for the hardware address
+ * and 1 byte for the type tag
+ */
+
+#define HARDWARE_ADDR_LEN 20
 
 struct hardware {
        u_int8_t hlen;
-       u_int8_t hbuf[21];
+       u_int8_t hbuf[HARDWARE_ADDR_LEN + 1];
 };
 
 #if defined(LDAP_CONFIGURATION)

diff --git a/server/dhcpv6.c b/server/dhcpv6.c
index 9d5fa1d1aa5f5f262f909eab8e65c79f6e2287d8..d763c954e447a95edd1a87408c0a72b955f53a9e 100644 (file)
--- a/server/dhcpv6.c
+++ b/server/dhcpv6.c
@@ -6037,7 +6037,7 @@ find_hosts_by_duid_chaddr(struct host_decl **host,
                break;
        }
 
-       if (hlen == 0)
+       if ((hlen == 0) || (hlen > HARDWARE_ADDR_LEN)) 
                return 0;
 
        /*