- A bug was fixed that caused the 'conflict-done' state to fail to be parsed
in failover state records.
+! A stack overflow vulnerability was fixed in dhclient that could allow
+ remote attackers to execute arbitrary commands as root on the system,
+ or simply terminate the client, by providing an over-long subnet-mask
+ option.
+
Changes since 4.1.0b1
- A missing "else" in dhcrelay.c could have caused an interface not to
if (data.len > 3) {
struct iaddr netmask, subnet, broadcast;
- memcpy (netmask.iabuf, data.data, data.len);
- netmask.len = data.len;
+ /*
+ * No matter the length of the subnet-mask option,
+ * use only the first four octets. Note that
+ * subnet-mask options longer than 4 octets are not
+ * in conformance with RFC 2132, but servers with this
+ * flaw do exist.
+ */
+ memcpy(netmask.iabuf, data.data, 4);
+ netmask.len = 4;
data_string_forget (&data, MDL);
subnet = subnet_number (lease -> address, netmask);
projects / thirdparty / dhcp.git / commitdiff
