From f26c4a0bef7e566b33e142b2681da2a038c8f61d Mon Sep 17 00:00:00 2001
From: Shawn Routhier <sar@isc.org>
Date: Wed, 8 Sep 2010 22:20:01 +0000
Subject: [PATCH] Minor code fixes  [ISC-Bugs #19566] When trying to find the
 zone for a name for ddns allow  the name to be at the apex of the zone. 
 [ISC-Bugs #19617] Restrict length of interface name read from command line 
 in dhcpd - based on a patch from David Cantrell at Red Hat.  [ISC-Bugs
 #20039] Correct some error messages in dhcpd.c  [ISC-Bugs #20070] Better
 range check on values when creating a DHCID.  [ISC-Bugs #20198] Avoid writing
 past the end of the field when adding  overly long file or server names to a
 packet and add a log message  if the configuration supplied overly long names
 for these fields.  [ISC-Bugs #21497] Add a little more randomness to rng seed
 in client

---
 RELNOTES          | 14 ++++++++++++++
 client/dhclient.c |  2 +-
 common/dns.c      | 15 +++++++++++----
 server/dhcp.c     | 33 +++++++++++++++++++++++++--------
 server/dhcpd.c    |  8 ++++++--
 5 files changed, 57 insertions(+), 15 deletions(-)

diff --git a/RELNOTES b/RELNOTES
index 888428cc1..34d527af8 100644
--- a/RELNOTES
+++ b/RELNOTES
@@ -64,6 +64,20 @@ work on other platforms. Please report any problems and suggested fixes to
   causing the server to apply configuration intended for one host to any
   other innocent clients that come along later.  [ISC-Bugs #22018]
 
+- Minor code fixes
+  [ISC-Bugs #19566] When trying to find the zone for a name for ddns allow
+  the name to be at the apex of the zone.
+  [ISC-Bugs #19617] Restrict length of interface name read from command line
+  in dhcpd - based on a patch from David Cantrell at Red Hat.
+  [ISC-Bugs #20039] Correct some error messages in dhcpd.c
+  [ISC-Bugs #20070] Better range check on values when creating a DHCID.
+  [ISC-Bugs #20198] Avoid writing past the end of the field when adding 
+  overly long file or server names to a packet and add a log message
+  if the configuration supplied overly long names for these fields.
+  Thanks to Martin Pala.
+  [ISC-Bugs #21497] Add a little more randomness to rng seed in client
+  thanks to a patch from Jeremiah Jinno.
+
 			Changes since 4.2.0rc1
 
 - Documentation cleanup covering multiple tickets
diff --git a/client/dhclient.c b/client/dhclient.c
index 4a1f09b5b..b98484e36 100644
--- a/client/dhclient.c
+++ b/client/dhclient.c
@@ -543,7 +543,7 @@ main(int argc, char **argv) {
 					    sizeof seed], sizeof seed);
 		seed += junk;
 	}
-	srandom(seed + cur_time);
+	srandom(seed + cur_time + (unsigned)getpid());
 
 	/* Start a configuration state machine for each interface. */
 #ifdef DHCPv6
diff --git a/common/dns.c b/common/dns.c
index b9d6d2ac6..8f1db46b7 100644
--- a/common/dns.c
+++ b/common/dns.c
@@ -658,13 +658,16 @@ find_cached_zone(dhcp_ddns_cb_t *ddns_cb, int direction)
 
 	/*
 	 * For each subzone, try to find a cached zone.
-	 * Skip the first zone as that shouldn't work.
 	 */
-	for (np = strchr(np, '.'); np != NULL; np = strchr(np, '.')) {
-		np++;
+	for (;;) {
 		status = dns_zone_lookup (&zone, np);
 		if (status == ISC_R_SUCCESS)
 			break;
+
+		np = strchr(np, '.');
+		if (np == NULL)
+			break;
+		np++;
 	}
 
 	if (status != ISC_R_SUCCESS)
@@ -805,7 +808,11 @@ int get_dhcid (struct data_string *id,
 	id->buffer->data[0] = ISC_MD5_DIGESTLENGTH * 2 + 2;
 
 	/* Put the type in the next two bytes. */
-	id->buffer->data[1] = "0123456789abcdef"[type >> 4];
+	id->buffer->data[1] = "0123456789abcdef"[(type >> 4) & 0xf];
+	/* This should have been [type & 0xf] but now that
+	 * it is in use we need to leave it this way in order
+	 * to avoid disturbing customer's lease files
+	 */
 	id->buffer->data[2] = "0123456789abcdef"[type % 15];
   
 	/* Mash together an MD5 hash of the identifier. */
diff --git a/server/dhcp.c b/server/dhcp.c
index 8fbd7337f..374671c13 100644
--- a/server/dhcp.c
+++ b/server/dhcp.c
@@ -1084,10 +1084,13 @@ void dhcpinform (packet, ms_nulltp)
 				   packet -> options, (struct option_state *)0,
 				   &global_scope, oc, MDL)) {
 		i = d1.len;
-		if (i > sizeof raw.file)
-			i = sizeof raw.file;
-		else
-			raw.file [i] = 0;
+		if (i >= sizeof(raw.file)) {
+			log_info("file name longer than packet field "
+				 "truncated - field: %d name: %d %.*s", 
+				 sizeof(raw.file), i, i, d1.data);
+			i = sizeof(raw.file);
+		} else
+			raw.file[i] = 0;
 		memcpy (raw.file, d1.data, i);
 		data_string_forget (&d1, MDL);
 	}
@@ -1100,10 +1103,13 @@ void dhcpinform (packet, ms_nulltp)
 				   packet -> options, (struct option_state *)0,
 				   &global_scope, oc, MDL)) {
 		i = d1.len;
-		if (i > sizeof raw.sname)
-			i = sizeof raw.sname;
-		else
-			raw.sname [i] = 0;
+		if (i >= sizeof(raw.sname)) {
+			log_info("server name longer than packet field "
+				 "truncated - field: %d name: %d %.*s", 
+				 sizeof(raw.sname), i, i, d1.data);
+			i = sizeof(raw.sname);
+		} else
+			raw.sname[i] = 0;
 		memcpy (raw.sname, d1.data, i);
 		data_string_forget (&d1, MDL);
 	}
@@ -3010,6 +3016,11 @@ void dhcp_reply (lease)
 		if (sizeof raw.file > state -> filename.len)
 			memset (&raw.file [state -> filename.len], 0,
 				(sizeof raw.file) - state -> filename.len);
+		else 
+			log_info("file name longer than packet field "
+				 "truncated - field: %d name: %d %.*s", 
+				 sizeof(raw.file), state->filename.len,
+				 state->filename.len, state->filename.data);
 	} else
 		bufs |= 1;
 
@@ -3023,6 +3034,12 @@ void dhcp_reply (lease)
 		if (sizeof raw.sname > state -> server_name.len)
 			memset (&raw.sname [state -> server_name.len], 0,
 				(sizeof raw.sname) - state -> server_name.len);
+		else 
+			log_info("server name longer than packet field "
+				 "truncated - field: %d name: %d %.*s", 
+				 sizeof(raw.sname), state->server_name.len,
+				 state->server_name.len,
+				 state->server_name.data);
 	} else
 		bufs |= 2; /* XXX */
 
diff --git a/server/dhcpd.c b/server/dhcpd.c
index 5297175b7..04f8ac1d2 100644
--- a/server/dhcpd.c
+++ b/server/dhcpd.c
@@ -404,6 +404,10 @@ main(int argc, char **argv) {
 		} else {
 			struct interface_info *tmp =
 				(struct interface_info *)0;
+			if (strlen(argv[i]) >= sizeof(tmp->name))
+				log_fatal("%s: interface name too long "
+					  "(is %ld)",
+					  argv[i], (long)strlen(argv[i]));
 			result = interface_allocate (&tmp, MDL);
 			if (result != ISC_R_SUCCESS)
 				log_fatal ("Insufficient memory to %s %s: %s",
@@ -1014,7 +1018,7 @@ void postconf_initialization (int quiet)
 		if (db.len == 4) {
 			memcpy (&limited_broadcast, db.data, 4);
 		} else
-			log_fatal ("invalid remote port data length");
+			log_fatal ("invalid broadcast address data length");
 		data_string_forget (&db, MDL);
 	}
 
@@ -1028,7 +1032,7 @@ void postconf_initialization (int quiet)
 		if (db.len == 4) {
 			memcpy (&local_address, db.data, 4);
 		} else
-			log_fatal ("invalid remote port data length");
+			log_fatal ("invalid local address data length");
 		data_string_forget (&db, MDL);
 	}
 
-- 
2.47.3