Two packets were found that cause a server to halt. The code

has been updated to properly process or reject the packets as
appropriate.  Thanks to David Zych at University of Illinois
for reporting this issue.  [ISC-Bugs #24960]
One CVE number for each class of packet.
CVE-2011-2748
CVE-2011-2749

diff --git a/RELNOTES b/RELNOTES
index e7c94264745b79ac4661e995adc5b5835e7522b7..c0251b6746789c49394fab27407b16a101dea83d 100644 (file)
--- a/RELNOTES
+++ b/RELNOTES
@@ -39,6 +39,16 @@ The system has only been tested on Linux, FreeBSD, and Solaris, and may not
 work on other platforms. Please report any problems and suggested fixes to
 <dhcp-users@isc.org>.
 
+                       Changes since 4.2.2rc1
+
+! Two packets were found that cause a server to halt.  The code
+  has been updated to properly process or reject the packets as
+  appropriate.  Thanks to David Zych at University of Illinois
+  for reporting this issue.  [ISC-Bugs #24960]
+  One CVE number for each class of packet.
+  CVE-2011-2748
+  CVE-2011-2749
+
                        Changes since 4.2.2b1
 
 - Strict checks for content of domain-name DHCPv4 option can now be 

diff --git a/common/discover.c b/common/discover.c
index 07129e5dcc0cf758f2f4b5a1d2fa66297e488775..1d8421928ea3c2f7bfeada8fff996dae55bc7cc4 100644 (file)
--- a/common/discover.c
+++ b/common/discover.c
@@ -1403,12 +1403,16 @@ isc_result_t got_one (h)
        if (result == 0)
                return ISC_R_UNEXPECTED;
 
-       /* If we didn't at least get the fixed portion of the BOOTP
-          packet, drop the packet.  We're allowing packets with no
-          sname or filename, because we're aware of at least one
-          client that sends such packets, but this definitely falls
-          into the category of being forgiving. */
-       if (result < DHCP_FIXED_NON_UDP - DHCP_SNAME_LEN - DHCP_FILE_LEN)
+       /*
+        * If we didn't at least get the fixed portion of the BOOTP
+        * packet, drop the packet.
+        * Previously we allowed packets with no sname or filename
+        * as we were aware of at least one client that did.  But
+        * a bug caused short packets to not work and nobody has
+        * complained, it seems rational to tighten up that
+        * restriction.
+        */
+       if (result < DHCP_FIXED_NON_UDP)
                return ISC_R_UNEXPECTED;
 
 #if defined(IP_PKTINFO) && defined(IP_RECVPKTINFO) && defined(USE_V4_PKTINFO)

diff --git a/common/options.c b/common/options.c
index c26f88cbb2070fb0ba85cdcb50cfbca263eee043..80fd8db35d89eee083dfc168fbc759fdb8bbb459 100644 (file)
--- a/common/options.c
+++ b/common/options.c
@@ -592,8 +592,8 @@ cons_options(struct packet *inpacket, struct dhcp_packet *outpacket,
        } else if (bootpp) {
                mb_size = 64;
                if (inpacket != NULL &&
-                   (inpacket->packet_length - DHCP_FIXED_LEN >= 64))
-                       mb_size = inpacket->packet_length - DHCP_FIXED_LEN;
+                   (inpacket->packet_length >= 64 + DHCP_FIXED_NON_UDP))
+                       mb_size = inpacket->packet_length - DHCP_FIXED_NON_UDP;
        } else
                mb_size = DHCP_MIN_OPTION_LEN;
 

diff --git a/server/dhcp.c b/server/dhcp.c
index 02157059d7d2dbb211f7128443220b128c79eaad..da4585f05dfae5484472bb411e06a8facb0804b5 100644 (file)
--- a/server/dhcp.c
+++ b/server/dhcp.c
@@ -2353,6 +2353,7 @@ void ack_lease (packet, lease, offer, when, msg, ms_nulltp, hp)
         * giaddr.
         */
        if (!packet->agent_options_stashed &&
+           (packet->options != NULL) &&
            packet->options->universe_count > agent_universe.index &&
            packet->options->universes[agent_universe.index] != NULL) {
            oc = lookup_option (&server_universe, state -> options,
@@ -4456,6 +4457,7 @@ maybe_return_agent_options(struct packet *packet, struct option_state *options)
         * by the user into the new state, not just give up.
         */
        if (!packet->agent_options_stashed &&
+           (packet->options != NULL) &&
            packet->options->universe_count > agent_universe.index &&
            packet->options->universes[agent_universe.index] != NULL &&
            (options->universe_count <= agent_universe.index ||