2011-02-02 10:11:54 +01:00
|
|
|
From ef8d97cd543d87135b3aae2d778a6f91cb800498 Mon Sep 17 00:00:00 2001
|
2011-02-02 10:03:02 +01:00
|
|
|
From: Marius Tomaschewski <mt@suse.de>
|
|
|
|
|
Date: Wed, 2 Feb 2011 09:18:39 +0100
|
|
|
|
|
Subject: [PATCH] Unexpected abort caused by a DHCPv6 decline
|
|
|
|
|
|
2011-02-02 10:11:54 +01:00
|
|
|
Security fix (CVE-2011-0413, VU#686084, bnc#667655) extracted from
|
|
|
|
|
dhcp-4.2.1b1 sources; description from dhcp-4.2.1b1/RELNOTES:
|
2011-02-02 10:03:02 +01:00
|
|
|
! When processing a request in the DHCPv6 server code that specifies
|
|
|
|
|
an address that is tagged as abandoned (meaning we received a
|
|
|
|
|
decline request for it previously) don't attempt to move it from
|
|
|
|
|
the inactive to active pool as doing so can result in the server
|
|
|
|
|
crshing on an assert failure. Also retag the lease as active
|
|
|
|
|
and reset it's timeout value.
|
2011-02-02 10:11:54 +01:00
|
|
|
[ISC-Bugs #21921]
|
2011-02-02 10:03:02 +01:00
|
|
|
|
|
|
|
|
Signed-off-by: Marius Tomaschewski <mt@suse.de>
|
|
|
|
|
---
|
|
|
|
|
server/mdb6.c | 19 ++++++++++++++++---
|
|
|
|
|
1 files changed, 16 insertions(+), 3 deletions(-)
|
|
|
|
|
|
|
|
|
|
diff --git a/server/mdb6.c b/server/mdb6.c
|
|
|
|
|
index 87bd152..9d410f5 100644
|
|
|
|
|
--- a/server/mdb6.c
|
|
|
|
|
+++ b/server/mdb6.c
|
|
|
|
|
@@ -1,5 +1,5 @@
|
|
|
|
|
/*
|
|
|
|
|
- * Copyright (C) 2007-2010 by Internet Systems Consortium, Inc. ("ISC")
|
|
|
|
|
+ * Copyright (C) 2007-2011 by Internet Systems Consortium, Inc. ("ISC")
|
|
|
|
|
*
|
|
|
|
|
* Permission to use, copy, modify, and distribute this software for any
|
|
|
|
|
* purpose with or without fee is hereby granted, provided that the above
|
|
|
|
|
@@ -1010,7 +1010,7 @@ move_lease_to_active(struct ipv6_pool *pool, struct iasubopt *lease) {
|
|
|
|
|
* Renew an lease in the pool.
|
|
|
|
|
*
|
|
|
|
|
* To do this, first set the new hard_lifetime_end_time for the resource,
|
|
|
|
|
- * and then invoke renew_lease() on it.
|
|
|
|
|
+ * and then invoke renew_lease6() on it.
|
|
|
|
|
*
|
|
|
|
|
* WARNING: lease times must only be extended, never reduced!!!
|
|
|
|
|
*/
|
|
|
|
|
@@ -1020,12 +1020,24 @@ renew_lease6(struct ipv6_pool *pool, struct iasubopt *lease) {
|
|
|
|
|
* If we're already active, then we can just move our expiration
|
|
|
|
|
* time down the heap.
|
|
|
|
|
*
|
|
|
|
|
+ * If we're abandoned then we are already on the active list
|
|
|
|
|
+ * but we need to retag the lease and move our expiration
|
|
|
|
|
+ * from infinite to the current value
|
|
|
|
|
+ *
|
|
|
|
|
* Otherwise, we have to move from the inactive heap to the
|
|
|
|
|
* active heap.
|
|
|
|
|
*/
|
|
|
|
|
if (lease->state == FTS_ACTIVE) {
|
|
|
|
|
isc_heap_decreased(pool->active_timeouts, lease->heap_index);
|
|
|
|
|
return ISC_R_SUCCESS;
|
|
|
|
|
+ } else if (lease->state == FTS_ABANDONED) {
|
|
|
|
|
+ char tmp_addr[INET6_ADDRSTRLEN];
|
|
|
|
|
+ lease->state = FTS_ACTIVE;
|
|
|
|
|
+ isc_heap_increased(pool->active_timeouts, lease->heap_index);
|
|
|
|
|
+ log_info("Reclaiming previously abandoned address %s",
|
|
|
|
|
+ inet_ntop(AF_INET6, &(lease->addr), tmp_addr,
|
|
|
|
|
+ sizeof(tmp_addr)));
|
|
|
|
|
+ return ISC_R_SUCCESS;
|
|
|
|
|
} else {
|
|
|
|
|
return move_lease_to_active(pool, lease);
|
|
|
|
|
}
|
|
|
|
|
@@ -1115,7 +1127,8 @@ isc_result_t
|
|
|
|
|
decline_lease6(struct ipv6_pool *pool, struct iasubopt *lease) {
|
|
|
|
|
isc_result_t result;
|
|
|
|
|
|
|
|
|
|
- if (lease->state != FTS_ACTIVE) {
|
|
|
|
|
+ if ((lease->state != FTS_ACTIVE) &&
|
|
|
|
|
+ (lease->state != FTS_ABANDONED)) {
|
|
|
|
|
result = move_lease_to_active(pool, lease);
|
|
|
|
|
if (result != ISC_R_SUCCESS) {
|
|
|
|
|
return result;
|
|
|
|
|
--
|
|
|
|
|
1.7.1
|
|
|
|
|
|
