rpm/dhcp
SHA256
1
0
Fork 0
forked from pool/dhcp
Code Pull Requests Activity

Accepting request 567653 from home:ndas:branches:network:dhcp

Browse Source 
- Optimized if and when DNS client context and ports
 are initted (bsc#1073935)
 [+ 0022-Optimized-if-and-when-DNS-client-context-and-.patch]

- Plugs a socket descriptor leak in OMAPI(bsc#1076119, CVE-2017-3144) 
  [ +0021-master-Plugs-a-socket-descriptor-leak-in-OMAPI.patch]

OBS-URL: https://build.opensuse.org/request/show/567653
OBS-URL: https://build.opensuse.org/package/show/network:dhcp/dhcp?expand=0&rev=181
This commit is contained in:
Nirmoy Das 2018-02-01 09:07:17 +00:00 committed by Git OBS Bridge
parent fe306dab60
commit 6e52066a8e
4 changed files with 385 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

61
0021-master-Plugs-a-socket-descriptor-leak-in-OMAPI.patch Normal file
View File

@ -0,0 +1,61 @@
From 1a6b62fe17a42b00fa234d06b6dfde3d03451894 Mon Sep 17 00:00:00 2001
From: Thomas Markwalder <tmark@isc.org>
Date: Thu, 7 Dec 2017 11:23:36 -0500
Subject: [PATCH] [master] Plugs a socket descriptor leak in OMAPI
Merges in rt46767.
---
RELNOTES | 5 +++++
omapip/buffer.c | 9 +++++++++
omapip/message.c | 2 +-
3 files changed, 15 insertions(+), 1 deletion(-)
diff --git a/RELNOTES b/RELNOTES
index cf44b3e..d43e7b3 100644
--- a/RELNOTES
+++ b/RELNOTES
@@ -919,6 +919,11 @@ by Eric Young (eay@cryptsoft.com).
and our website for directions on bug submissions.
[ISC-Bugs #24789]
+- Plugged a socket descriptor leak in OMAPI, that can occur when there is
+ data pending to be written to an OMAPI connection, when the connection
+ is closed by the reader.
+ [ISc-Bugs #46767]
+
Changes since 4.2.0 (new features)
- If a client renews before 'dhcp-cache-threshold' percent of its lease
diff --git a/omapip/buffer.c b/omapip/buffer.c
index f7fdc32..809034d 100644
--- a/omapip/buffer.c
+++ b/omapip/buffer.c
@@ -566,6 +566,15 @@ isc_result_t omapi_connection_writer (omapi_object_t *h)
omapi_buffer_dereference (&buffer, MDL);
}
}
+
+ /* If we had data left to write when we're told to disconnect,
+ * we need recall disconnect, now that we're done writing.
+ * See rt46767. */
+ if (c->out_bytes == 0 && c->state == omapi_connection_disconnecting) {
+ omapi_disconnect (h, 1);
+ return ISC_R_SHUTTINGDOWN;
+ }
+
return ISC_R_SUCCESS;
}
diff --git a/omapip/message.c b/omapip/message.c
index 59ccdc2..21bcfc3 100644
--- a/omapip/message.c
+++ b/omapip/message.c
@@ -339,7 +339,7 @@ isc_result_t omapi_message_unregister (omapi_object_t *mo)
}
#ifdef DEBUG_PROTOCOL
-static const char *omapi_message_op_name(int op) {
+const char *omapi_message_op_name(int op) {
switch (op) {
case OMAPI_OP_OPEN: return "OMAPI_OP_OPEN";
case OMAPI_OP_REFRESH: return "OMAPI_OP_REFRESH";

306
0022-Optimized-if-and-when-DNS-client-context-and-ports.patch Normal file
View File

@ -0,0 +1,306 @@
From df869de2b9f95f14ce4eca142afaf0f1fef29809 Mon Sep 17 00:00:00 2001
From: Nirmoy Das <ndas@suse.de>
Date: Thu, 11 Jan 2018 10:20:59 +0100
Subject: [PATCH] modified for SLES
From ca22af89996483efd820de0084c964fc336ee7c1 Mon Sep 17 00:00:00 2001
From: Thomas Markwalder <tmark@isc.org>
Date: Mon, 19 Jun 2017 14:44:29 -0400
Subject: [PATCH] [master] Optimized if and when DNS client context and ports
are initted
Merges in rt45290.
---
RELNOTES | 9 ++++++
client/dhclient.8 | 5 +--
client/dhclient.c | 4 +--
common/dns.c | 15 +++++++--
includes/omapip/isclib.h | 9 +++++-
omapip/isclib.c | 80 ++++++++++++++++++++++++++++++------------------
relay/dhcrelay.c | 3 +-
server/dhcpd.8 | 6 ++--
server/dhcpd.c | 14 ++++++---
9 files changed, 100 insertions(+), 45 deletions(-)
---
client/dhclient.8 | 5 +--
client/dhclient.c | 4 +--
common/dns.c | 15 +++++++--
includes/omapip/isclib.h | 9 +++++-
omapip/isclib.c | 80 ++++++++++++++++++++++++++++++------------------
relay/dhcrelay.c | 3 +-
server/dhcpd.8 | 4 +--
server/dhcpd.c | 14 ++++++---
8 files changed, 90 insertions(+), 44 deletions(-)
diff --git a/client/dhclient.8 b/client/dhclient.8
index d9a26b7..8991e16 100644
--- a/client/dhclient.8
+++ b/client/dhclient.8
@@ -461,8 +461,9 @@ port will be used for the established connection.
When DDNS is enabled at compile time (see includes/site.h)
the client will open both a v4 and a v6 UDP socket on
-random ports. These ports are opened even if DDNS is disabled
-in the configuration file.
+random ports. These ports are not opened unless/until the
+client first attempts to do an update. If the client is not
+configured to do updates, the ports will never be opened.
.PP
.SH CONFIGURATION
The syntax of the \fBdhclient.conf(5)\fR file is discussed separately.
diff --git a/client/dhclient.c b/client/dhclient.c
index 2804ea8..d3fe751 100644
--- a/client/dhclient.c
+++ b/client/dhclient.c
@@ -187,8 +187,8 @@ main(int argc, char **argv) {
#endif
/* Set up the isc and dns library managers */
- status = dhcp_context_create(DHCP_CONTEXT_PRE_DB | DHCP_CONTEXT_POST_DB,
- NULL, NULL);
+ status = dhcp_context_create(DHCP_CONTEXT_PRE_DB | DHCP_CONTEXT_POST_DB
+ | DHCP_DNS_CLIENT_LAZY_INIT, NULL, NULL);
if (status != ISC_R_SUCCESS)
log_fatal("Can't initialize context: %s",
isc_result_totext(status));
diff --git a/common/dns.c b/common/dns.c
index 0f8be80..2ca4ba8 100644
--- a/common/dns.c
+++ b/common/dns.c
@@ -3,8 +3,7 @@
Domain Name Service subroutines. */
/*
- * Copyright (c) 2009-2015 by Internet Systems Consortium, Inc. ("ISC")
- * Copyright (c) 2004-2007 by Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (c) 2004-2017 by Internet Systems Consortium, Inc. ("ISC")
* Copyright (c) 2001-2003 by Internet Software Consortium
*
* Permission to use, copy, modify, and distribute this software for any
@@ -2151,6 +2150,12 @@ ddns_modify_fwd(dhcp_ddns_cb_t *ddns_cb, const char *file, int line)
isc_sockaddrlist_t *zlist = NULL;
+ /* Creates client context if we need to */
+ result = dns_client_init();
+ if (result != ISC_R_SUCCESS) {
+ return result;
+ }
+
/* Get a pointer to the clientname to make things easier. */
clientname = (unsigned char *)ddns_cb->fwd_name.data;
@@ -2359,6 +2364,12 @@ ddns_modify_ptr(dhcp_ddns_cb_t *ddns_cb, const char *file, int line)
unsigned char buf[256];
int buflen;
+ /* Creates client context if we need to */
+ result = dns_client_init();
+ if (result != ISC_R_SUCCESS) {
+ return result;
+ }
+
/*
* Try to lookup the zone in the zone cache. As with the forward
* case it's okay if we don't have one, the DNS code will try to
diff --git a/includes/omapip/isclib.h b/includes/omapip/isclib.h
index caa388a..e296308 100644
--- a/includes/omapip/isclib.h
+++ b/includes/omapip/isclib.h
@@ -3,7 +3,7 @@
connections to the isc and dns libraries */
/*
- * Copyright (c) 2009,2013,2014 by Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (c) 2009-2017 by Internet Systems Consortium, Inc. ("ISC")
*
* Permission to use, copy, modify, and distribute this software for any
* purpose with or without fee is hereby granted, provided that the above
@@ -98,6 +98,10 @@ typedef struct dhcp_context {
isc_timermgr_t *timermgr;
#if defined (NSUPDATE)
dns_client_t *dnsclient;
+ int use_local4;
+ isc_sockaddr_t local4_sockaddr;
+ int use_local6;
+ isc_sockaddr_t local6_sockaddr;
#endif
} dhcp_context_t;
@@ -125,6 +129,7 @@ isclib_make_dst_key(char *inname,
#define DHCP_CONTEXT_PRE_DB 1
#define DHCP_CONTEXT_POST_DB 2
+#define DHCP_DNS_CLIENT_LAZY_INIT 4
isc_result_t dhcp_context_create(int flags,
struct in_addr *local4,
struct in6_addr *local6);
@@ -133,4 +138,6 @@ void isclib_cleanup(void);
void dhcp_signal_handler(int signal);
extern int shutdown_signal;
+isc_result_t dns_client_init();
+
#endif /* ISCLIB_H */
diff --git a/omapip/isclib.c b/omapip/isclib.c
index 13f0d3e..ce86490 100644
--- a/omapip/isclib.c
+++ b/omapip/isclib.c
@@ -1,5 +1,5 @@
/*
- * Copyright(c) 2009-2010,2013-2014 by Internet Systems Consortium, Inc.("ISC")
+ * Copyright(c) 2009-2017 by Internet Systems Consortium, Inc.("ISC")
*
* Permission to use, copy, modify, and distribute this software for any
* purpose with or without fee is hereby granted, provided that the above
@@ -221,39 +221,24 @@ dhcp_context_create(int flags,
#if defined (NSUPDATE)
if ((flags & DHCP_CONTEXT_POST_DB) != 0) {
- isc_sockaddr_t localaddr4, *localaddr4_ptr = NULL;
- isc_sockaddr_t localaddr6, *localaddr6_ptr = NULL;
+ /* Setting addresses only.
+ * All real work will be done later on if needed to avoid
+ * listening on ddns port if client/server was compiled with
+ * ddns support but not using it. */
if (local4 != NULL) {
- isc_sockaddr_fromin(&localaddr4, local4, 0);
- localaddr4_ptr = &localaddr4;
+ dhcp_gbl_ctx.use_local4 = 1;
+ isc_sockaddr_fromin(&dhcp_gbl_ctx.local4_sockaddr,
+ local4, 0);
}
+
if (local6 != NULL) {
- isc_sockaddr_fromin6(&localaddr6, local6, 0);
- localaddr6_ptr = &localaddr6;
+ dhcp_gbl_ctx.use_local6 = 1;
+ isc_sockaddr_fromin6(&dhcp_gbl_ctx.local6_sockaddr,
+ local6, 0);
}
- result = dns_client_createx2(dhcp_gbl_ctx.mctx,
- dhcp_gbl_ctx.actx,
- dhcp_gbl_ctx.taskmgr,
- dhcp_gbl_ctx.socketmgr,
- dhcp_gbl_ctx.timermgr,
- 0,
- &dhcp_gbl_ctx.dnsclient,
- localaddr4_ptr,
- localaddr6_ptr);
- if (result != ISC_R_SUCCESS)
- goto cleanup;
-
- /*
- * If we can't set up the servers we may not be able to
- * do DDNS but we should continue to try and perform
- * our basic functions and let the user sort it out.
- */
- result = dhcp_dns_client_setservers();
- if (result != ISC_R_SUCCESS) {
- log_error("Unable to set resolver from resolv.conf; "
- "startup continuing but DDNS support "
- "may be affected");
+ if (!(flags & DHCP_DNS_CLIENT_LAZY_INIT)) {
+ result = dns_client_init();
}
}
#endif
@@ -360,3 +345,40 @@ void dhcp_signal_handler(int signal) {
(void) isc_app_ctxsuspend(ctx);
}
}
+
+isc_result_t dns_client_init() {
+ isc_result_t result;
+ if (dhcp_gbl_ctx.dnsclient == NULL) {
+ result = dns_client_createx2(dhcp_gbl_ctx.mctx,
+ dhcp_gbl_ctx.actx,
+ dhcp_gbl_ctx.taskmgr,
+ dhcp_gbl_ctx.socketmgr,
+ dhcp_gbl_ctx.timermgr,
+ 0,
+ &dhcp_gbl_ctx.dnsclient,
+ (dhcp_gbl_ctx.use_local4 ?
+ &dhcp_gbl_ctx.local4_sockaddr
+ : NULL),
+ (dhcp_gbl_ctx.use_local6 ?
+ &dhcp_gbl_ctx.local6_sockaddr
+ : NULL));
+
+ if (result != ISC_R_SUCCESS) {
+ log_error("Unable to create DNS client context:"
+ " result: %d", result);
+ return result;
+ }
+
+ /* If we can't set up the servers we may not be able to
+ * do DDNS but we should continue to try and perform
+ * our basic functions and let the user sort it out. */
+ result = dhcp_dns_client_setservers();
+ if (result != ISC_R_SUCCESS) {
+ log_error("Unable to set resolver from resolv.conf; "
+ "startup continuing but DDNS support "
+ "may be affected: result %d", result);
+ }
+ }
+
+ return ISC_R_SUCCESS;
+}
diff --git a/relay/dhcrelay.c b/relay/dhcrelay.c
index 9d39fae..3abbe1e 100644
--- a/relay/dhcrelay.c
+++ b/relay/dhcrelay.c
@@ -204,8 +204,7 @@ main(int argc, char **argv) {
#endif
/* Set up the isc and dns library managers */
- status = dhcp_context_create(DHCP_CONTEXT_PRE_DB | DHCP_CONTEXT_POST_DB,
- NULL, NULL);
+ status = dhcp_context_create(DHCP_CONTEXT_PRE_DB, NULL, NULL);
if (status != ISC_R_SUCCESS)
log_fatal("Can't initialize context: %s",
isc_result_totext(status));
diff --git a/server/dhcpd.8 b/server/dhcpd.8
index bfda639..259b91c 100644
--- a/server/dhcpd.8
+++ b/server/dhcpd.8
@@ -358,8 +358,8 @@ port will be used for the established connection.
When DDNS is enabled at compile time (see includes/site.h)
the server will open both a v4 and a v6 UDP socket on
-random ports. These ports are opened even if DDNS is disabled
-in the configuration file.
+random ports, unless DDNS updates are globally disabled by
+setting ddns-update-style to none in the configuration file.
.PP
.SH CONFIGURATION
The syntax of the dhcpd.conf(5) file is discussed separately. This
diff --git a/server/dhcpd.c b/server/dhcpd.c
index 0f5c640..d7c4456 100644
--- a/server/dhcpd.c
+++ b/server/dhcpd.c
@@ -1053,10 +1053,16 @@ void postconf_initialization (int quiet)
}
}
- if (dhcp_context_create(DHCP_CONTEXT_POST_DB, local4_ptr, local6_ptr)
- != ISC_R_SUCCESS)
- log_fatal("Unable to complete ddns initialization");
-
+ /* Don't init DNS client if update style is none. This avoids
+ * listening ports that aren't needed. We don't use ddns-udpates
+ * as that has multiple levels of scope. */
+ if (ddns_update_style != DDNS_UPDATE_STYLE_NONE) {
+ if (dhcp_context_create(DHCP_CONTEXT_POST_DB,
+ local4_ptr, local6_ptr)
+ != ISC_R_SUCCESS) {
+ log_fatal("Unable to complete ddns initialization");
+ }
+ }
#else
/* If we don't have support for updates compiled in tell the user */
if (ddns_update_style != DDNS_UPDATE_STYLE_NONE) {
--
2.15.0

13
dhcp.changes
View File

@ -1,3 +1,16 @@
-------------------------------------------------------------------
Fri Jan 19 12:16:47 CET 2018 - ndas@suse.de
- Optimized if and when DNS client context and ports
are initted (bsc#1073935)
[+ 0022-Optimized-if-and-when-DNS-client-context-and-.patch]
-------------------------------------------------------------------
Tue Jan 16 16:15:45 CET 2018 - ndas@suse.de
- Plugs a socket descriptor leak in OMAPI(bsc#1076119, CVE-2017-3144)
[ +0021-master-Plugs-a-socket-descriptor-leak-in-OMAPI.patch]
-------------------------------------------------------------------
Wed Dec 13 15:52:25 UTC 2017 - mchandras@suse.de

6
dhcp.spec
View File

@ -1,7 +1,7 @@
#
# spec file for package dhcp
#
# Copyright (c) 2017 SUSE LINUX GmbH, Nuernberg, Germany.
# Copyright (c) 2018 SUSE LINUX GmbH, Nuernberg, Germany.
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
@ -113,6 +113,8 @@ Patch18: 0018-client-fail-on-script-pre-init-error-bsc-912098.patch
# PATCH-FIX-SLE dhcp-4.2.4-P1-interval bsc#947780
Patch19: 0019-dhcp-4.2.4-P1-interval.patch
Patch20: 0020-dhcp-4.x.x-fixed-improper-lease-duration-checking.patch
Patch21: 0021-master-Plugs-a-socket-descriptor-leak-in-OMAPI.patch
Patch22: 0022-Optimized-if-and-when-DNS-client-context-and-ports.patch
##
PreReq: /bin/touch /sbin/chkconfig sysconfig
BuildRoot: %{_tmppath}/%{name}-%{version}-build
@ -249,6 +251,8 @@ Authors:
%patch18 -p1
%patch19 -p1
%patch20 -p1
%patch21 -p1
%patch22 -p1
##
find . -type f -name \*.cat\* -exec rm -f {} \;
dos2unix contrib/ms2isc/*