- bsc#1203988, CVE-2022-2928, dhcp-CVE-2022-2928.patch:

An option refcount overflow exists in dhcpd  
- bsc#1203989, CVE-2022-2929, dhcp-CVE-2022-2929.patch:
  DHCP memory leak

OBS-URL: https://build.opensuse.org/package/show/network:dhcp/dhcp?expand=0&rev=248

dhcp-CVE-2022-2928.patch

@@ -0,0 +1,100 @@
+--- common/options.c.orig
++++ common/options.c
+@@ -4452,6 +4452,8 @@ add_option(struct option_state *options,
+ 	if (!option_cache_allocate(&oc, MDL)) {
+ 		log_error("No memory for option cache adding %s (option %d).",
+ 			  option->name, option_num);
++		/* Get rid of reference created during hash lookup. */
++		option_dereference(&option, MDL);
+ 		return 0;
+ 	}
+ 
+@@ -4463,6 +4465,8 @@ add_option(struct option_state *options,
+ 			     MDL)) {
+ 		log_error("No memory for constant data adding %s (option %d).",
+ 			  option->name, option_num);
++		/* Get rid of reference created during hash lookup. */
++		option_dereference(&option, MDL);
+ 		option_cache_dereference(&oc, MDL);
+ 		return 0;
+ 	}
+@@ -4471,6 +4475,9 @@ add_option(struct option_state *options,
+ 	save_option(&dhcp_universe, options, oc);
+ 	option_cache_dereference(&oc, MDL);
+ 
++	/* Get rid of reference created during hash lookup. */
++	option_dereference(&option, MDL);
++
+ 	return 1;
+ }
+ 
+--- common/tests/option_unittest.c.orig
++++ common/tests/option_unittest.c
+@@ -213,6 +213,59 @@ ATF_TC_BODY(parse_X, tc)
+     }
+ }
+ 
++ATF_TC(add_option_ref_cnt);
++
++ATF_TC_HEAD(add_option_ref_cnt, tc)
++{
++    atf_tc_set_md_var(tc, "descr",
++        "Verify add_option() does not leak option ref counts.");
++}
++
++ATF_TC_BODY(add_option_ref_cnt, tc)
++{
++    struct option_state *options = NULL;
++    struct option *option = NULL;
++    unsigned int cid_code = DHO_DHCP_CLIENT_IDENTIFIER;
++    char *cid_str = "1234";
++    int refcnt_before = 0;
++
++    // Look up the option we're going to add.
++    initialize_common_option_spaces();
++    if (!option_code_hash_lookup(&option, dhcp_universe.code_hash,
++                                 &cid_code, 0, MDL)) {
++        atf_tc_fail("cannot find option definition?");
++    }
++
++    // Get the option's reference count before we call add_options.
++    refcnt_before = option->refcnt;
++
++    // Allocate a option_state to which to add an option.
++    if (!option_state_allocate(&options, MDL)) {
++	    atf_tc_fail("cannot allocat options state");
++    }
++
++    // Call add_option() to add the option to the option state.
++    if (!add_option(options, cid_code, cid_str, strlen(cid_str))) {
++	    atf_tc_fail("add_option returned 0");
++    }
++
++    // Verify that calling add_option() only adds 1 to the option ref count.
++    if (option->refcnt != (refcnt_before + 1)) {
++        atf_tc_fail("after add_option(), count is wrong, before %d, after: %d",
++                    refcnt_before, option->refcnt);
++    }
++
++    // Derefrence the option_state, this should reduce the ref count to
++    // it's starting value.
++    option_state_dereference(&options, MDL);
++
++    // Verify that dereferencing option_state restores option ref count.
++    if (option->refcnt != refcnt_before) {
++        atf_tc_fail("after state deref, count is wrong, before %d, after: %d",
++                    refcnt_before, option->refcnt);
++    }
++}
++
+ /* This macro defines main() method that will call specified
+    test cases. tp and simple_test_case names can be whatever you want
+    as long as it is a valid variable identifier. */
+@@ -221,6 +274,7 @@ ATF_TP_ADD_TCS(tp)
+     ATF_TP_ADD_TC(tp, option_refcnt);
+     ATF_TP_ADD_TC(tp, pretty_print_option);
+     ATF_TP_ADD_TC(tp, parse_X);
++    ATF_TP_ADD_TC(tp, add_option_ref_cnt);
+ 
+     return (atf_no_error());
+ }

dhcp-CVE-2022-2929.patch

@@ -0,0 +1,23 @@
+--- common/options.c.orig
++++ common/options.c
+@@ -454,16 +454,16 @@ int fqdn_universe_decode (struct option_
+ 		while (s < &bp -> data[0] + length + 2) {
+ 			len = *s;
+ 			if (len > 63) {
+-				log_info ("fancy bits in fqdn option");
+-				return 0;
++				log_info ("label length exceeds 63 in fqdn option");
++				goto bad;
+ 			}
+ 			if (len == 0) {
+ 				terminated = 1;
+ 				break;
+ 			}
+ 			if (s + len > &bp -> data [0] + length + 3) {
+-				log_info ("fqdn tag longer than buffer");
+-				return 0;
++				log_info ("fqdn label longer than buffer");
++				goto bad;
+ 			}
+ 
+ 			if (first_len == 0) {

dhcp.changes

@@ -1,3 +1,11 @@
+-------------------------------------------------------------------
+Wed Oct  5 14:01:47 UTC 2022 - Reinhard Max <max@suse.com>
+
+- bsc#1203988, CVE-2022-2928, dhcp-CVE-2022-2928.patch:
+  An option refcount overflow exists in dhcpd  
+- bsc#1203989, CVE-2022-2929, dhcp-CVE-2022-2929.patch:
+  DHCP memory leak
+
 -------------------------------------------------------------------
 Tue Apr 26 10:48:39 UTC 2022 - Reinhard Max <max@suse.com>
 

dhcp.spec

@@ -96,6 +96,8 @@ Patch18:        0018-client-fail-on-script-pre-init-error-bsc-912098.patch
 # PATCH-FIX-SLE dhcp-4.2.4-P1-interval bsc#947780
 Patch20:        0020-dhcp-4.x.x-fixed-improper-lease-duration-checking.patch
 Patch21:        0021-dhcp-ip-family-symlinks.patch
+Patch22:        dhcp-CVE-2022-2928.patch
+Patch23:        dhcp-CVE-2022-2929.patch
 BuildRequires:  automake
 BuildRequires:  dos2unix
 BuildRequires:  libtool
@@ -209,6 +211,8 @@ fi
 %patch18 -p1
 %patch20
 %patch21
+%patch22
+%patch23
 ##
 find . -type f -name \*.cat\* -exec rm -f {} \;
 dos2unix contrib/ms2isc/*