[dhcp/f16] 4.2.4-P1: fix for CVE-2012-3570 CVE-2012-3571 and CVE-2012-3954 (#842892)

Tomas Hozza thozza at fedoraproject.org
Wed Jul 25 12:17:54 UTC 2012 

commit df341d1152632e523a60fd564cfc31731e025333
Author: Tomas Hozza <thozza at redhat.com>
Date:   Wed Jul 25 14:16:31 2012 +0200

    4.2.4-P1: fix for CVE-2012-3570 CVE-2012-3571 and CVE-2012-3954 (#842892)

 dhcp-4.2.4-CVE-2012-3570-3571-3954.patch |  149 ++++++++++++++++++++++++++++++
 dhcp.spec                                |    9 ++-
 2 files changed, 157 insertions(+), 1 deletions(-)
---
diff --git a/dhcp-4.2.4-CVE-2012-3570-3571-3954.patch b/dhcp-4.2.4-CVE-2012-3570-3571-3954.patch
new file mode 100644
index 0000000..aa34f30
--- /dev/null
+++ b/dhcp-4.2.4-CVE-2012-3570-3571-3954.patch
@@ -0,0 +1,149 @@
+diff -up dhcp-4.2.3-P2/common/options.c.CVE-2012-3570-3571-3954 dhcp-4.2.3-P2/common/options.c
+--- dhcp-4.2.3-P2/common/options.c.CVE-2012-3570-3571-3954	2012-07-25 14:02:05.632045359 +0200
++++ dhcp-4.2.3-P2/common/options.c	2012-07-25 14:04:46.089599642 +0200
+@@ -2406,6 +2406,8 @@ prepare_option_buffer(struct universe *u
+ 
+ 	/* And let go of our references. */
+       cleanup:
++	if (lbp != NULL)
++		buffer_dereference(&lbp, MDL);
+ 	option_dereference(&option, MDL);
+ 
+ 	return 1;
+@@ -3801,11 +3803,13 @@ void do_packet (interface, packet, len,
+ 			data_string_forget (&dp, MDL);
+ 		}
+ 	}
+-		
+-	if (decoded_packet -> packet_type)
+-		dhcp (decoded_packet);
+-	else
+-		bootp (decoded_packet);
++
++	if (validate_packet(decoded_packet) != 0) {
++		if (decoded_packet->packet_type)
++			dhcp(decoded_packet);
++		else
++			bootp(decoded_packet);
++	}
+ 
+ 	/* If the caller kept the packet, they'll have upped the refcnt. */
+ 	packet_dereference (&decoded_packet, MDL);
+@@ -4123,4 +4127,47 @@ add_option(struct option_state *options,
+ 	return 1;
+ }
+ 
++/**
++ *  Checks if received BOOTP/DHCPv4 packet is sane
++ *
++ * @param packet received, decoded packet
++ *
++ * @return 1 if packet is sane, 0 if it is not
++ */
++int validate_packet(struct packet *packet)
++{
++	struct option_cache *oc = NULL;
++
++	oc = lookup_option (&dhcp_universe, packet->options,
++			    DHO_DHCP_CLIENT_IDENTIFIER);
++	if (oc) {
++		/* Let's check if client-identifier is sane */
++		if (oc->data.len == 0) {
++			log_debug("Dropped DHCPv4 packet with zero-length client-id");
++			return (0);
+ 
++		} else if (oc->data.len == 1) {
++			/*
++			 * RFC2132, section 9.14 states that minimum length of client-id
++			 * is 2.  We will allow single-character client-ids for now (for
++			 * backwards compatibility), but warn the user that support for
++			 * this is against the standard.
++			 */
++			log_debug("Accepted DHCPv4 packet with one-character client-id - "
++				"a future version of ISC DHCP will reject this");
++		}
++	} else {
++		/* 
++		 * If hlen is 0 we don't have any identifier, we warn the user
++		 * but continue processing the packet as we can.
++		 */
++		if (packet->raw->hlen == 0) {
++			log_debug("Received DHCPv4 packet without client-id"
++				  " option and empty hlen field.");
++		}
++	}
++
++	/* @todo: Add checks for other received options */
++
++	return (1);
++}
+diff -up dhcp-4.2.3-P2/includes/dhcpd.h.CVE-2012-3570-3571-3954 dhcp-4.2.3-P2/includes/dhcpd.h
+--- dhcp-4.2.3-P2/includes/dhcpd.h.CVE-2012-3570-3571-3954	2012-07-25 14:02:05.651045307 +0200
++++ dhcp-4.2.3-P2/includes/dhcpd.h	2012-07-25 14:07:45.840102184 +0200
+@@ -432,11 +432,17 @@ struct packet {
+ 	isc_boolean_t unicast;
+ };
+ 
+-/* A network interface's MAC address. */
++/*
++ * A network interface's MAC address.
++ * 20 bytes for the hardware address
++ * and 1 byte for the type tag
++ */
++
++#define HARDWARE_ADDR_LEN 20
+ 
+ struct hardware {
+ 	u_int8_t hlen;
+-	u_int8_t hbuf [17];
++	u_int8_t hbuf[HARDWARE_ADDR_LEN + 1];
+ };
+ 
+ #if defined(LDAP_CONFIGURATION)
+@@ -1857,6 +1863,8 @@ void do_packet6(struct interface_info *,
+ 		int, int, const struct iaddr *, isc_boolean_t);
+ int packet6_len_okay(const char *, int);
+ 
++int validate_packet(struct packet *);
++
+ int add_option(struct option_state *options,
+ 	       unsigned int option_num,
+ 	       void *data,
+diff -up dhcp-4.2.3-P2/server/dhcpv6.c.CVE-2012-3570-3571-3954 dhcp-4.2.3-P2/server/dhcpv6.c
+--- dhcp-4.2.3-P2/server/dhcpv6.c.CVE-2012-3570-3571-3954	2012-07-25 14:02:05.653045301 +0200
++++ dhcp-4.2.3-P2/server/dhcpv6.c	2012-07-25 14:11:25.062503597 +0200
+@@ -1285,6 +1285,8 @@ lease_to_client(struct data_string *repl
+ 	struct data_string packet_oro;
+ 	isc_boolean_t no_resources_avail;
+ 
++	memset(&packet_oro, 0, sizeof(packet_oro));
++
+ 	/* Locate the client.  */
+ 	if (shared_network_from_packet6(&reply.shared,
+ 					packet) != ISC_R_SUCCESS)
+@@ -1307,7 +1309,6 @@ lease_to_client(struct data_string *repl
+ 	 * Get the ORO from the packet, if any.
+ 	 */
+ 	oc = lookup_option(&dhcpv6_universe, packet->options, D6O_ORO);
+-	memset(&packet_oro, 0, sizeof(packet_oro));
+ 	if (oc != NULL) {
+ 		if (!evaluate_option_cache(&packet_oro, packet, 
+ 					   NULL, NULL, 
+@@ -1579,6 +1580,8 @@ lease_to_client(struct data_string *repl
+ 		packet_dereference(&reply.packet, MDL);
+ 	if (reply.client_id.data != NULL)
+ 		data_string_forget(&reply.client_id, MDL);
++	if (packet_oro.buffer != NULL)
++		data_string_forget(&packet_oro, MDL);
+ 	reply.renew = reply.rebind = reply.prefer = reply.valid = 0;
+ 	reply.cursor = 0;
+ }
+@@ -6130,7 +6133,7 @@ find_hosts_by_duid_chaddr(struct host_de
+ 		break;
+ 	}
+ 
+-	if (hlen == 0)
++	if ((hlen == 0) || (hlen > HARDWARE_ADDR_LEN)) 
+ 		return 0;
+ 
+ 	/*
diff --git a/dhcp.spec b/dhcp.spec
index 049de05..1e53681 100644
--- a/dhcp.spec
+++ b/dhcp.spec
@@ -19,7 +19,7 @@
 Summary:  Dynamic host configuration protocol software
 Name:     dhcp
 Version:  4.2.3
-Release:  9.%{patchver}%{?dist}
+Release:  10.%{patchver}%{?dist}
 # NEVER CHANGE THE EPOCH on this package.  The previous maintainer (prior to
 # dcantrell maintaining the package) made incorrect use of the epoch and
 # that's why it is at 12 now.  It should have never been used, but it was.
@@ -70,6 +70,7 @@ Patch30:  dhcp-4.2.2-sharedlib.patch
 Patch31:  dhcp-4.2.0-PPP.patch
 Patch32:  dhcp-4.2.3-paranoia.patch
 Patch33:  dhcp-4.2.3-P2-log_perror.patch
+Patch34:  dhcp-4.2.4-CVE-2012-3570-3571-3954.patch
 
 BuildRequires: autoconf
 BuildRequires: automake
@@ -313,6 +314,9 @@ rm bind/bind.tar.gz
 # (Submitted to dhcp-bugs at isc.org - [ISC-Bugs #28049])
 %patch33 -p1 -b .log_perror
 
+# 4.2.4-P1: fix for CVE-2012-3570 CVE-2012-3571 and CVE-2012-3954 (#842892)
+%patch34 -p1 -b .CVE-2012-3570-3571-3954
+
 # Copy in the Fedora/RHEL dhclient script
 %{__install} -p -m 0755 %{SOURCE4} client/scripts/linux
 %{__install} -p -m 0644 %{SOURCE5} .
@@ -646,6 +650,9 @@ fi
 %{_initddir}/dhcrelay
 
 %changelog
+* Wed Jul 25 2012 Tomas Hozza <thozza at redhat.com> - 12:4.2.3-10.P2
+- 4.2.4-P1: fix for CVE-2012-3570 CVE-2012-3571 and CVE-2012-3954 (#842892)
+
 * Mon Jul 09 2012 Tomas Hozza <thozza at redhat.com> - 12:4.2.3-9.P2
 - changed the list of %verify on the leases files (#837474)

More information about the scm-commits mailing list