Previously the server code was relaxed to allow packets with zero

length client ids to be processed.  Under some situations use of
zero length client ids can cause the server to go into an infinite
loop.  As such ids are not valid according to RFC 2132 section 9.14
the server no longer accepts them.  Client ids with a length of 1
are also invalid but the server still accepts them in order to
minimize disruption.  The restriction will likely be tightened in
the future to disallow ids with a length of 1.
Thanks to Markus Hietava of Codenomicon CROSS project for the
finding this issue and CERT-FI for vulnerability coordination.
[ISC-Bugs #29851]
CVE: CVE-2012-3571

diff --git a/RELNOTES b/RELNOTES
index 319d27b5d9c9cb282c42458ffbb9e3b3344e9c83..c6615f2de5cadf2f9215490129b26862de564e40 100644 (file)
--- a/RELNOTES
+++ b/RELNOTES
@@ -58,6 +58,19 @@ work on other platforms. Please report any problems and suggested fixes to
   a lease file.  Thanks to Marius Tomaschewski from SUSE for the report
   and prototype patch for this ticket as well as ticket 27289.
 
+! Previously the server code was relaxed to allow packets with zero
+  length client ids to be processed.  Under some situations use of
+  zero length client ids can cause the server to go into an infinite
+  loop.  As such ids are not valid according to RFC 2132 section 9.14
+  the server no longer accepts them.  Client ids with a length of 1
+  are also invalid but the server still accepts them in order to
+  minimize disruption.  The restriction will likely be tightened in
+  the future to disallow ids with a length of 1.
+  Thanks to Markus Hietava of Codenomicon CROSS project for the
+  finding this issue and CERT-FI for vulnerability coordination. 
+  [ISC-Bugs #29851]
+  CVE: CVE-2012-3571
+
                        Changes since 4.2.4rc2
 
 - None

diff --git a/common/options.c b/common/options.c
index 11bb958820551c6fdce6bb230628ed6314c3eb18..8cbb03752199210495e1f6bac6b07069a9abd26b 100644 (file)
--- a/common/options.c
+++ b/common/options.c
@@ -3798,11 +3798,13 @@ void do_packet (interface, packet, len, from_port, from, hfrom)
                        data_string_forget (&dp, MDL);
                }
        }
-               
-       if (decoded_packet -> packet_type)
-               dhcp (decoded_packet);
-       else
-               bootp (decoded_packet);
+
+       if (validate_packet(decoded_packet) != 0) {
+               if (decoded_packet->packet_type)
+                       dhcp(decoded_packet);
+               else
+                       bootp(decoded_packet);
+       }
 
        /* If the caller kept the packet, they'll have upped the refcnt. */
        packet_dereference (&decoded_packet, MDL);
@@ -4122,4 +4124,47 @@ add_option(struct option_state *options,
        return 1;
 }
 
+/**
+ *  Checks if received BOOTP/DHCPv4 packet is sane
+ *
+ * @param packet received, decoded packet
+ *
+ * @return 1 if packet is sane, 0 if it is not
+ */
+int validate_packet(struct packet *packet)
+{
+       struct option_cache *oc = NULL;
 
+       oc = lookup_option (&dhcp_universe, packet->options,
+                           DHO_DHCP_CLIENT_IDENTIFIER);
+       if (oc) {
+               /* Let's check if client-identifier is sane */
+               if (oc->data.len == 0) {
+                       log_debug("Dropped DHCPv4 packet with zero-length client-id");
+                       return (0);
+
+               } else if (oc->data.len == 1) {
+                       /*
+                        * RFC2132, section 9.14 states that minimum length of client-id
+                        * is 2.  We will allow single-character client-ids for now (for
+                        * backwards compatibility), but warn the user that support for
+                        * this is against the standard.
+                        */
+                       log_debug("Accepted DHCPv4 packet with one-character client-id - "
+                               "a future version of ISC DHCP will reject this");
+               }
+       } else {
+               /* 
+                * If hlen is 0 we don't have any identifier, we warn the user
+                * but continue processing the packet as we can.
+                */
+               if (packet->raw->hlen == 0) {
+                       log_debug("Received DHCPv4 packet without client-id"
+                                 " option and empty hlen field.");
+               }
+       }
+
+       /* @todo: Add checks for other received options */
+
+       return (1);
+}

diff --git a/includes/dhcpd.h b/includes/dhcpd.h
index 0ba5984a2bdd7f91b730cd023d0d66c677548e1f..7a21d071b71b5a01b3a94e0450913e28a7a6db91 100644 (file)
--- a/includes/dhcpd.h
+++ b/includes/dhcpd.h
@@ -1853,6 +1853,8 @@ void do_packet6(struct interface_info *, const char *,
                int, int, const struct iaddr *, isc_boolean_t);
 int packet6_len_okay(const char *, int);
 
+int validate_packet(struct packet *);
+
 int add_option(struct option_state *options,
               unsigned int option_num,
               void *data,