isc dhcp missing check the length of server identifier
Date: 21/03/2023, 08.50
Hello, I have find a bug in isc-dhcp 4.4.3. The length of server identifier option is 4 bytes. While, I find in dhcprequest() it dose not check the length of it before memecpy the data.
oc = lookup_option (&dhcp_universe, packet -> options, DHO_DHCP_SERVER_IDENTIFIER);
memset (&data, 0, sizeof data);
if (oc &&
evaluate_option_cache (&data, packet, (struct lease *)0,
(struct client_state *)0,
packet -> options, (struct option_state *)0,
&global_scope, oc, MDL)) {
sip.len = 4;
memcpy (sip.iabuf, data.data, 4);
Thus, I construct a packet with server identifier option 2 bytes("\x02AA"). And I find that it will overread and show the buffer info in the log, as show in the figure: (see email)
Also, I have found that there also has missing length check of the following options. But I can not tirgger them by poc, so I think these may be a bug.
- options 50 dhcprequest() dhcp.c line 472
- option 59 ack_lease() dhcp.c line3368
- option 58 ack_lease() dhcp.c line3385
- option 118 ack_lease() dhcp.c line3302