[dhcp/f16] isc_time_nowplusinterval() is not safe with 64-bit time_t (#662254, #789601)

Fri Jul 27 08:16:39 UTC 2012

commit 9a312e3cd914da2b6f32651c94d1d1d4fb0bf359
Author: Jiri Popelka <jpopelka at redhat.com>
Date:   Fri Jul 27 10:00:49 2012 +0200

    isc_time_nowplusinterval() is not safe with 64-bit time_t (#662254, #789601)

 dhcp-interval.patch |   25 +++++++++++++++++++++++++
 dhcp.spec           |    9 ++++++++-
 2 files changed, 33 insertions(+), 1 deletions(-)
---

diff --git a/dhcp-interval.patch b/dhcp-interval.patch
new file mode 100644
index 0000000..e8e89c1
--- /dev/null
+++ b/dhcp-interval.patch
@@ -0,0 +1,25 @@
+diff -up dhcp-4.2.4/common/dispatch.c.foo dhcp-4.2.4/common/dispatch.c
+--- dhcp-4.2.4/common/dispatch.c.foo	2012-07-26 21:31:43.875349675 -0500
++++ dhcp-4.2.4/common/dispatch.c	2012-07-26 21:39:14.961710319 -0500
+@@ -324,7 +324,20 @@ void add_timeout (when, where, what, ref
+ 	q->next  = timeouts;
+ 	timeouts = q;
+ 
+-	isc_interval_set(&interval, sec & DHCP_SEC_MAX, usec * 1000);
++	/* isc_time_nowplusinterval() is not safe with 64-bit time_t and will
++	 * return an error for sufficiently large intervals.  We have to limit
++	 * the interval to INT_MAX or less to ensure the interval doesn't
++	 * overflow 32 bits, since the returned isc_time_t fields are
++	 * 32-bit unsigned ints.
++	 *
++	 * HACK: The 9 is a magic number of seconds, since some time may have
++	 * gone by since the last call to gettimeofday() and the one in
++	 * isc_time_nowplusinterval().
++	 */
++	if (sec > TIME_MAX)
++		sec = TIME_MAX - 9;
++
++	isc_interval_set(&interval, sec, usec * 1000);
+ 	status = isc_time_nowplusinterval(&expires, &interval);
+ 	if (status != ISC_R_SUCCESS) {
+ 		/*
diff --git a/dhcp.spec b/dhcp.spec
index 1e53681..28e87b8 100644
--- a/dhcp.spec
+++ b/dhcp.spec
@@ -19,7 +19,7 @@
 Summary:  Dynamic host configuration protocol software
 Name:     dhcp
 Version:  4.2.3
-Release:  10.%{patchver}%{?dist}
+Release:  11.%{patchver}%{?dist}
 # NEVER CHANGE THE EPOCH on this package.  The previous maintainer (prior to
 # dcantrell maintaining the package) made incorrect use of the epoch and
 # that's why it is at 12 now.  It should have never been used, but it was.
@@ -71,6 +71,7 @@ Patch31:  dhcp-4.2.0-PPP.patch
 Patch32:  dhcp-4.2.3-paranoia.patch
 Patch33:  dhcp-4.2.3-P2-log_perror.patch
 Patch34:  dhcp-4.2.4-CVE-2012-3570-3571-3954.patch
+Patch35:  dhcp-interval.patch
 
 BuildRequires: autoconf
 BuildRequires: automake
@@ -317,6 +318,9 @@ rm bind/bind.tar.gz
 # 4.2.4-P1: fix for CVE-2012-3570 CVE-2012-3571 and CVE-2012-3954 (#842892)
 %patch34 -p1 -b .CVE-2012-3570-3571-3954
 
+# isc_time_nowplusinterval() is not safe with 64-bit time_t
+%patch35 -p1 -b .interval
+
 # Copy in the Fedora/RHEL dhclient script
 %{__install} -p -m 0755 %{SOURCE4} client/scripts/linux
 %{__install} -p -m 0644 %{SOURCE5} .
@@ -650,6 +654,9 @@ fi
 %{_initddir}/dhcrelay
 
 %changelog
+* Fri Jul 27 2012 Jiri Popelka <jpopelka at redhat.com> - 12:4.2.3-11.P2
+- isc_time_nowplusinterval() is not safe with 64-bit time_t (#662254, #789601)
+
 * Wed Jul 25 2012 Tomas Hozza <thozza at redhat.com> - 12:4.2.3-10.P2
 - 4.2.4-P1: fix for CVE-2012-3570 CVE-2012-3571 and CVE-2012-3954 (#842892)
 
