22517767 Upgrade Solaris' DHCP to version 4.1-ESV-R7-P1
22501693 problem in SERVICE/DHCP-SERVER
This patch was derived from ISC source differences between dhcp-4.1-ESV-R12
and dhcp-4.1-ESV-R12-P1.
--- old/./RELNOTES Thu Jan 7 21:28:37 2016
+++ new/./RELNOTES Thu Jan 7 21:28:37 2016
@@ -1,6 +1,6 @@
Internet Systems Consortium DHCP Distribution
- Version 4.1-ESV-R7
- 10 September 2012
+ Version 4.1-ESV-R7-P1
+ 01 January 2016
Release Notes
@@ -52,6 +52,13 @@
work on other platforms. Please report any problems and suggested fixes to
<[email protected]>.
+ Changes since 4.1-ESV-R7-P1
+
+! Update the bounds checking when receiving a packet.
+ Thanks to Sebastian Poehn from Sophos for the bug report and a suggested
+ patch.
+ [ISC-Bugs #41267]
+
Changes since 4.1-ESV-R6
- Existing legacy unit-tests have been migrated to Automated Test
--- old/common/packet.c Thu Jan 7 21:28:37 2016
+++ new/common/packet.c Thu Jan 7 21:28:37 2016
@@ -220,7 +220,28 @@
}
}
-/* UDP header and IP header decoded together for convenience. */
+/*!
+ *
+ * \brief UDP header and IP header decoded together for convenience.
+ *
+ * Attempt to decode the UDP and IP headers and, if necessary, checksum
+ * the packet.
+ *
+ * \param inteface - the interface on which the packet was recevied
+ * \param buf - a pointer to the buffer for the received packet
+ * \param bufix - where to start processing the buffer, previous
+ * routines may have processed parts of the buffer already
+ * \param from - space to return the address of the packet sender
+ * \param buflen - remaining length of the buffer, this will have been
+ * decremented by bufix by the caller
+ * \param rbuflen - space to return the length of the payload from the udp
+ * header
+ * \param csum_ready - indication if the checksum is valid for use
+ * non-zero indicates the checksum should be validated
+ *
+ * \return - the index to the first byte of the udp payload (that is the
+ * start of the DHCP packet
+ */
ssize_t
decode_udp_ip_header(struct interface_info *interface,
@@ -231,7 +252,7 @@
unsigned char *data;
struct ip ip;
struct udphdr udp;
- unsigned char *upp, *endbuf;
+ unsigned char *upp;
u_int32_t ip_len, ulen, pkt_len;
u_int32_t sum, usum;
static int ip_packets_seen;
@@ -242,11 +263,8 @@
static int udp_packets_length_overflow;
unsigned len;
- /* Designate the end of the input buffer for bounds checks. */
- endbuf = buf + bufix + buflen;
-
/* Assure there is at least an IP header there. */
- if ((buf + bufix + sizeof(ip)) > endbuf)
+ if (sizeof(ip) > buflen)
return -1;
/* Copy the IP header into a stack aligned structure for inspection.
@@ -258,13 +276,17 @@
ip_len = (*upp & 0x0f) << 2;
upp += ip_len;
- /* Check the IP packet length. */
+ /* Check packet lengths are within the buffer:
+ * first the ip header (ip_len)
+ * then the packet length from the ip header (pkt_len)
+ * then the udp header (ip_len + sizeof(udp)
+ * We are liberal in what we accept, the udp payload should fit within
+ * pkt_len, but we only check against the full buffer size.
+ */
pkt_len = ntohs(ip.ip_len);
- if (pkt_len > buflen)
- return -1;
-
- /* Assure after ip_len bytes that there is enough room for a UDP header. */
- if ((upp + sizeof(udp)) > endbuf)
+ if ((ip_len > buflen) ||
+ (pkt_len > buflen) ||
+ ((ip_len + sizeof(udp)) > buflen))
return -1;
/* Copy the UDP header into a stack aligned structure for inspection. */
@@ -285,7 +307,8 @@
return -1;
udp_packets_length_checked++;
- if ((upp + ulen) > endbuf) {
+ /* verify that the payload length from the udp packet fits in the buffer */
+ if ((ip_len + ulen) > buflen) {
udp_packets_length_overflow++;
if ((udp_packets_length_checked > 4) &&
((udp_packets_length_checked /
--- old/./configure Thu Jan 7 21:28:37 2016
+++ new/./configure Thu Jan 7 21:28:37 2016
@@ -574,8 +574,8 @@
# Identity of this package.
PACKAGE_NAME='DHCP'
PACKAGE_TARNAME='dhcp'
-PACKAGE_VERSION='4.1-ESV-R7'
-PACKAGE_STRING='DHCP 4.1-ESV-R7'
+PACKAGE_VERSION='4.1-ESV-R7-P1'
+PACKAGE_STRING='DHCP 4.1-ESV-R7-P1'
PACKAGE_BUGREPORT='[email protected]'
# Factoring default headers for most tests.
@@ -2125,7 +2125,7 @@
# Define the identity of the package.
PACKAGE='dhcp'
- VERSION='4.1-ESV-R7'
+ VERSION='4.1-ESV-R7-P1'
cat >>confdefs.h <<_ACEOF
--- old/./configure.ac Thu Jan 7 21:28:37 2016
+++ new/./configure.ac Thu Jan 7 21:28:37 2016
@@ -1,4 +1,4 @@
-AC_INIT([DHCP], [4.1-ESV-R7], [[email protected]])
+AC_INIT([DHCP], [4.1-ESV-R7-P1], [[email protected]])
# we specify "foreign" to avoid having to have the GNU mandated files,
# like AUTHORS, COPYING, and such