From: Shawn Routhier Date: Tue, 19 Jul 2011 22:13:26 +0000 (+0000) Subject: Two packets were found that cause a server to halt. The code X-Git-Tag: v4_3_0a1~158 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=8bd96ccb219b548be4f9cd639a113a2e949cea99;p=thirdparty%2Fdhcp.git Two packets were found that cause a server to halt. The code has been updated to properly process or reject the packets as appropriate. Thanks to David Zych at University of Illinois for reporting this issue. [ISC-Bugs #24960] One CVE number for each class of packet. CVE-2011-2748 CVE-2011-2749 --- diff --git a/RELNOTES b/RELNOTES index 01d8772fd..ba8e44d8d 100644 --- a/RELNOTES +++ b/RELNOTES @@ -190,6 +190,14 @@ work on other platforms. Please report any problems and suggested fixes to in site.h then server will be terminated [ISC-Bugs #23595] +! Two packets were found that cause a server to halt. The code + has been updated to properly process or reject the packets as + appropriate. Thanks to David Zych at University of Illinois + for reporting this issue. [ISC-Bugs #24960] + One CVE number for each class of packet. + CVE-2011-2748 + CVE-2011-2749 + Changes since 4.2.0 - Documentation cleanup covering multiple tickets diff --git a/common/discover.c b/common/discover.c index 07129e5dc..1d8421928 100644 --- a/common/discover.c +++ b/common/discover.c @@ -1403,12 +1403,16 @@ isc_result_t got_one (h) if (result == 0) return ISC_R_UNEXPECTED; - /* If we didn't at least get the fixed portion of the BOOTP - packet, drop the packet. We're allowing packets with no - sname or filename, because we're aware of at least one - client that sends such packets, but this definitely falls - into the category of being forgiving. */ - if (result < DHCP_FIXED_NON_UDP - DHCP_SNAME_LEN - DHCP_FILE_LEN) + /* + * If we didn't at least get the fixed portion of the BOOTP + * packet, drop the packet. + * Previously we allowed packets with no sname or filename + * as we were aware of at least one client that did. But + * a bug caused short packets to not work and nobody has + * complained, it seems rational to tighten up that + * restriction. + */ + if (result < DHCP_FIXED_NON_UDP) return ISC_R_UNEXPECTED; #if defined(IP_PKTINFO) && defined(IP_RECVPKTINFO) && defined(USE_V4_PKTINFO) diff --git a/common/options.c b/common/options.c index 09c4cd029..e37fd3d8e 100644 --- a/common/options.c +++ b/common/options.c @@ -3,7 +3,7 @@ DHCP options parsing and reassembly. */ /* - * Copyright (c) 2004-2010 by Internet Systems Consortium, Inc. ("ISC") + * Copyright (c) 2004-2011 by Internet Systems Consortium, Inc. ("ISC") * Copyright (c) 1995-2003 by Internet Software Consortium * * Permission to use, copy, modify, and distribute this software for any @@ -592,8 +592,8 @@ cons_options(struct packet *inpacket, struct dhcp_packet *outpacket, } else if (bootpp) { mb_size = 64; if (inpacket != NULL && - (inpacket->packet_length - DHCP_FIXED_LEN >= 64)) - mb_size = inpacket->packet_length - DHCP_FIXED_LEN; + (inpacket->packet_length >= 64 + DHCP_FIXED_NON_UDP)) + mb_size = inpacket->packet_length - DHCP_FIXED_NON_UDP; } else mb_size = DHCP_MIN_OPTION_LEN; diff --git a/server/dhcp.c b/server/dhcp.c index de27c1a93..5875bb1be 100644 --- a/server/dhcp.c +++ b/server/dhcp.c @@ -2354,6 +2354,7 @@ void ack_lease (packet, lease, offer, when, msg, ms_nulltp, hp) * giaddr. */ if (!packet->agent_options_stashed && + (packet->options != NULL) && packet->options->universe_count > agent_universe.index && packet->options->universes[agent_universe.index] != NULL) { oc = lookup_option (&server_universe, state -> options, @@ -4506,6 +4507,7 @@ maybe_return_agent_options(struct packet *packet, struct option_state *options) * by the user into the new state, not just give up. */ if (!packet->agent_options_stashed && + (packet->options != NULL) && packet->options->universe_count > agent_universe.index && packet->options->universes[agent_universe.index] != NULL && (options->universe_count <= agent_universe.index ||