Commit 3a43b4ec authored by Shawn Routhier's avatar Shawn Routhier
Browse files

Two packets were found that cause a server to halt. The code

has been updated to properly process or reject the packets as
appropriate.  Thanks to David Zych at University of Illinois
for reporting this issue.  [ISC-Bugs #24960]
One CVE number for each class of packet.
CVE-2011-2748
CVE-2011-2749
parent a1f2d491
......@@ -64,6 +64,14 @@ work on other platforms. Please report any problems and suggested fixes to
See ACCEPT_LIST_IN_DOMAIN_NAME define in includes/site.h.
[ISC-Bugs #24167]
! Two packets were found that cause a server to halt. The code
has been updated to properly process or reject the packets as
appropriate. Thanks to David Zych at University of Illinois
for reporting this issue. [ISC-Bugs #24960]
One CVE number for each class of packet.
CVE-2011-2748
CVE-2011-2749
Changes since 4.1-ESV-R2
- DHCPv6 server now responds properly if client asks for a prefix that
......
......@@ -1395,12 +1395,16 @@ isc_result_t got_one (h)
if (result == 0)
return ISC_R_UNEXPECTED;
/* If we didn't at least get the fixed portion of the BOOTP
packet, drop the packet. We're allowing packets with no
sname or filename, because we're aware of at least one
client that sends such packets, but this definitely falls
into the category of being forgiving. */
if (result < DHCP_FIXED_NON_UDP - DHCP_SNAME_LEN - DHCP_FILE_LEN)
/*
* If we didn't at least get the fixed portion of the BOOTP
* packet, drop the packet.
* Previously we allowed packets with no sname or filename
* as we were aware of at least one client that did. But
* a bug caused short packets to not work and nobody has
* complained, it seems rational to tighten up that
* restriction.
*/
if (result < DHCP_FIXED_NON_UDP)
return ISC_R_UNEXPECTED;
#if defined(IP_PKTINFO) && defined(IP_RECVPKTINFO) && defined(USE_V4_PKTINFO)
......
......@@ -592,8 +592,8 @@ cons_options(struct packet *inpacket, struct dhcp_packet *outpacket,
} else if (bootpp) {
mb_size = 64;
if (inpacket != NULL &&
(inpacket->packet_length - DHCP_FIXED_LEN >= 64))
mb_size = inpacket->packet_length - DHCP_FIXED_LEN;
(inpacket->packet_length >= 64 + DHCP_FIXED_NON_UDP))
mb_size = inpacket->packet_length - DHCP_FIXED_NON_UDP;
} else
mb_size = DHCP_MIN_OPTION_LEN;
......
......@@ -3,7 +3,7 @@
DHCP Protocol engine. */
/*
* Copyright (c) 2004-2010 by Internet Systems Consortium, Inc. ("ISC")
* Copyright (c) 2004-2011 by Internet Systems Consortium, Inc. ("ISC")
* Copyright (c) 1995-2003 by Internet Software Consortium
*
* Permission to use, copy, modify, and distribute this software for any
......@@ -1541,6 +1541,7 @@ void ack_lease (packet, lease, offer, when, msg, ms_nulltp, hp)
* by the user into the new state, not just give up.
*/
if (!packet->agent_options_stashed &&
(packet->options != NULL) &&
packet->options->universe_count > agent_universe.index &&
packet->options->universes[agent_universe.index] != NULL &&
(state->options->universe_count <= agent_universe.index ||
......@@ -2360,6 +2361,7 @@ void ack_lease (packet, lease, offer, when, msg, ms_nulltp, hp)
* giaddr.
*/
if (!packet->agent_options_stashed &&
(packet->options != NULL) &&
packet->options->universe_count > agent_universe.index &&
packet->options->universes[agent_universe.index] != NULL) {
oc = lookup_option (&server_universe, state -> options,
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment