SHA256
1
0
forked from pool/dhcp

- Applied security fix for unexpected abort caused by a DHCPv6

decline message (CVE-2011-0413, VU#686084, bnc#667655).
- Fixed dhclient.conf to request the domain-search option.

OBS-URL: https://build.opensuse.org/package/show/network:dhcp/dhcp?expand=0&rev=53
This commit is contained in:
Marius Tomaschewski 2011-02-02 09:03:02 +00:00 committed by Git OBS Bridge
parent 3937129549
commit 3e8864fa10
4 changed files with 86 additions and 1 deletions

View File

@ -35,7 +35,7 @@ option rfc3442-classless-static-routes code 121 = array of unsigned integer 8;
# Request several well known/usefull dhcp options. # Request several well known/usefull dhcp options.
request subnet-mask, broadcast-address, routers, request subnet-mask, broadcast-address, routers,
rfc3442-classless-static-routes, rfc3442-classless-static-routes,
interface-mtu, host-name, domain-name, interface-mtu, host-name, domain-name, domain-search,
domain-name-servers, nis-domain, nis-servers, domain-name-servers, nis-domain, nis-servers,
nds-context, nds-servers, nds-tree-name, nds-context, nds-servers, nds-tree-name,
netbios-name-servers, netbios-dd-server, netbios-name-servers, netbios-dd-server,

View File

@ -0,0 +1,76 @@
From d995f772e6b957c7569a640d024daa3e58c08f56 Mon Sep 17 00:00:00 2001
From: Marius Tomaschewski <mt@suse.de>
Date: Wed, 2 Feb 2011 09:18:39 +0100
Subject: [PATCH] Unexpected abort caused by a DHCPv6 decline
! When processing a request in the DHCPv6 server code that specifies
an address that is tagged as abandoned (meaning we received a
decline request for it previously) don't attempt to move it from
the inactive to active pool as doing so can result in the server
crshing on an assert failure. Also retag the lease as active
and reset it's timeout value.
[ISC-Bugs #21921] (CVE-2011-0413, VU#686084)
Signed-off-by: Marius Tomaschewski <mt@suse.de>
---
server/mdb6.c | 19 ++++++++++++++++---
1 files changed, 16 insertions(+), 3 deletions(-)
diff --git a/server/mdb6.c b/server/mdb6.c
index 87bd152..9d410f5 100644
--- a/server/mdb6.c
+++ b/server/mdb6.c
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2007-2010 by Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2007-2011 by Internet Systems Consortium, Inc. ("ISC")
*
* Permission to use, copy, modify, and distribute this software for any
* purpose with or without fee is hereby granted, provided that the above
@@ -1010,7 +1010,7 @@ move_lease_to_active(struct ipv6_pool *pool, struct iasubopt *lease) {
* Renew an lease in the pool.
*
* To do this, first set the new hard_lifetime_end_time for the resource,
- * and then invoke renew_lease() on it.
+ * and then invoke renew_lease6() on it.
*
* WARNING: lease times must only be extended, never reduced!!!
*/
@@ -1020,12 +1020,24 @@ renew_lease6(struct ipv6_pool *pool, struct iasubopt *lease) {
* If we're already active, then we can just move our expiration
* time down the heap.
*
+ * If we're abandoned then we are already on the active list
+ * but we need to retag the lease and move our expiration
+ * from infinite to the current value
+ *
* Otherwise, we have to move from the inactive heap to the
* active heap.
*/
if (lease->state == FTS_ACTIVE) {
isc_heap_decreased(pool->active_timeouts, lease->heap_index);
return ISC_R_SUCCESS;
+ } else if (lease->state == FTS_ABANDONED) {
+ char tmp_addr[INET6_ADDRSTRLEN];
+ lease->state = FTS_ACTIVE;
+ isc_heap_increased(pool->active_timeouts, lease->heap_index);
+ log_info("Reclaiming previously abandoned address %s",
+ inet_ntop(AF_INET6, &(lease->addr), tmp_addr,
+ sizeof(tmp_addr)));
+ return ISC_R_SUCCESS;
} else {
return move_lease_to_active(pool, lease);
}
@@ -1115,7 +1127,8 @@ isc_result_t
decline_lease6(struct ipv6_pool *pool, struct iasubopt *lease) {
isc_result_t result;
- if (lease->state != FTS_ACTIVE) {
+ if ((lease->state != FTS_ACTIVE) &&
+ (lease->state != FTS_ABANDONED)) {
result = move_lease_to_active(pool, lease);
if (result != ISC_R_SUCCESS) {
return result;
--
1.7.1

View File

@ -1,3 +1,10 @@
-------------------------------------------------------------------
Wed Feb 2 09:02:18 UTC 2011 - mt@suse.de
- Applied security fix for unexpected abort caused by a DHCPv6
decline message (CVE-2011-0413, VU#686084, bnc#667655).
- Fixed dhclient.conf to request the domain-search option.
------------------------------------------------------------------- -------------------------------------------------------------------
Mon Dec 13 08:51:59 UTC 2010 - mt@suse.de Mon Dec 13 08:51:59 UTC 2010 - mt@suse.de

View File

@ -83,6 +83,7 @@ Patch39: dhcp-4.2.0-P1-no-libcrypto.diff
Patch40: dhcp-4.1.1-P1-lpf-bind-msg-fix.diff Patch40: dhcp-4.1.1-P1-lpf-bind-msg-fix.diff
Patch41: dhcp-4.1.1-P1-relay-no-ip-on-interface.diff Patch41: dhcp-4.1.1-P1-relay-no-ip-on-interface.diff
Patch42: dhcp-4.1.1-P1-optional-value-infinite-loop.diff Patch42: dhcp-4.1.1-P1-optional-value-infinite-loop.diff
Patch43: dhcp-4.2.0-P2-CVE-2011-0413.bnc667655.diff
## ##
PreReq: /bin/touch /sbin/chkconfig sysconfig PreReq: /bin/touch /sbin/chkconfig sysconfig
BuildRoot: %{_tmppath}/%{name}-%{version}-build BuildRoot: %{_tmppath}/%{name}-%{version}-build
@ -208,6 +209,7 @@ Authors:
%patch40 -p1 %patch40 -p1
%patch41 -p1 %patch41 -p1
%patch42 -p1 %patch42 -p1
%patch43 -p1
## ##
find . -type f -name \*.cat\* -exec rm -f {} \; find . -type f -name \*.cat\* -exec rm -f {} \;
dos2unix contrib/ms2isc/* dos2unix contrib/ms2isc/*