e9398b14d9
* CVE-2018-5733, bsc#1083303: reference count overflow in dhcpd.
* CVE-2018-5732, bsc#1083302: buffer overflow bug in dhclient.
* Plugged a socket descriptor leak in OMAPI
* The server now allows the client identifier (option 61) to own
leases in more than one subnet concurrently [ISC-Bugs #41358].
* When replying to a DHCPINFORM, the server will now include
options specified at the pool scope, provided the ciaddr field
of the DHCPINFORM is populated.
[ISC-Bugs #43219] [ISC-Bugs #45051].
* When memory allocation fails in a repeated way the process
writes "Run out of memory." on the standard error and exists
with status 1 [ISC-Bugs #32744].
* The new lmdb (Lightning Memory DataBase) bind9 configure
option is now disabled by default to avoid the presence of
this library to be detected which can lead to a link failure.
[ISC-Bugs #45069]
* The linux interface discovery code has been modified to use
getifaddrs() as is done for BSD and OS-X.
[ISC-Bugs #28761] and others.
* Fixed a bug in OMAPI that causes omshell to crash when a
name-value pair with a zero length value is shipped in an
object [ISC-Bugs #29108].
* On 64-bit platforms, dhclient now generates the correct value
for the script environment variable, "expiry", the lease
expiry value exceeds 0x7FFFFFFF [ISC-Bugs #43326].
* Common timer logic was modified to cap the maximum timeout
values at 0x7FFFFFFF - 1 [ISC-Bugs #28038].
* DHCP6 FQDN option unpacking code now correctly handles values
that contain spaces, special, or non-printable characters.
OBS-URL: https://build.opensuse.org/package/show/network:dhcp/dhcp?expand=0&rev=186
68 lines
1.9 KiB
Diff
68 lines
1.9 KiB
Diff
From: Marius Tomaschewski <mt@suse.de>
|
|
Date: Tue, 12 Jan 2016 15:42:22 +0100
|
|
Subject: [PATCH] fixed improper lease duration checking.
|
|
References: bsc#936923, bsc#880984
|
|
|
|
year 2038 is EOT only for 32 bit machine. This patch checks
|
|
wordsize and do a proper EOT checking on lease duration. It
|
|
also fixes integer overflows in the date and time handling code.
|
|
|
|
--- common/parse.c.orig
|
|
+++ common/parse.c
|
|
@@ -939,7 +939,7 @@ TIME
|
|
parse_date_core(cfile)
|
|
struct parse *cfile;
|
|
{
|
|
- int guess;
|
|
+ long guess;
|
|
int tzoff, year, mon, mday, hour, min, sec;
|
|
const char *val;
|
|
enum dhcp_token token;
|
|
@@ -966,7 +966,7 @@ parse_date_core(cfile)
|
|
}
|
|
|
|
skip_token(&val, NULL, cfile); /* consume number */
|
|
- guess = atoi(val);
|
|
+ guess = atol(val);
|
|
|
|
return((TIME)guess);
|
|
}
|
|
@@ -1113,11 +1113,22 @@ parse_date_core(cfile)
|
|
* overflow issues. We could try and be more precise but there
|
|
* doesn't seem to be a good reason to worry about it and waste
|
|
* the cpu looking at the rest of the date. */
|
|
- if (year >= 138)
|
|
- return(MAX_TIME);
|
|
-
|
|
+ if (sizeof(time_t) == 8) {
|
|
+ /* 2038 is not an issue on 64bit. time calculations
|
|
+ * start to fail at almost INT_MAX (- some guard) */
|
|
+ if (year > 0x7fff0000)
|
|
+ return(MAX_TIME);
|
|
+ } else {
|
|
+ /* assume 32bit with end in 2038 */
|
|
+ if (year >= 138)
|
|
+ return(MAX_TIME);
|
|
+ }
|
|
+ /* I don't think we need to care about lease starts before 1900 */
|
|
+ if (year < 0)
|
|
+ return((TIME)0);
|
|
+
|
|
/* Guess the time value... */
|
|
- guess = ((((((365 * (year - 70) + /* Days in years since '70 */
|
|
+ guess = ((((((365 * ((long)year - 70) + /* Days in years since '70 */
|
|
(year - 69) / 4 + /* Leap days since '70 */
|
|
(mon /* Days in months this year */
|
|
? months [mon - 1]
|
|
--- includes/dhcpd.h.orig
|
|
+++ includes/dhcpd.h
|
|
@@ -1588,7 +1588,7 @@ typedef unsigned char option_mask [16];
|
|
#endif
|
|
|
|
#define INFINITE_TIME 0xffffffff
|
|
-#define MAX_TIME 0x7fffffff
|
|
+#define MAX_TIME LONG_MAX
|
|
#define MIN_TIME 0
|
|
|
|
#ifdef USE_LOG_PID
|