22501693 problem in SERVICE/DHCP-SERVER s11u3-sru
authorBen Chang <Benjamin.Chang@Oracle.COM>
Tue, 19 Jan 2016 14:07:25 -0800
branchs11u3-sru
changeset 5294 aab231e23f51
parent 5288 96ef113b9eed
child 5296 fe5e30c5a9ac
22501693 problem in SERVICE/DHCP-SERVER 22517767 Upgrade Solaris' DHCP to version 4.1-ESV-R7-P1
components/isc-dhcp/Makefile
components/isc-dhcp/dhcp.p5m
components/isc-dhcp/patches/001-ignore-client-uids.patch
components/isc-dhcp/patches/002-CVE-2015-8605.patch
components/isc-dhcp/patches/ignore-client-uids.patch
--- a/components/isc-dhcp/Makefile	Fri Jan 15 15:23:59 2016 -0800
+++ b/components/isc-dhcp/Makefile	Tue Jan 19 14:07:25 2016 -0800
@@ -18,13 +18,14 @@
 #
 # CDDL HEADER END
 #
-# Copyright (c) 2011, 2015, Oracle and/or its affiliates. All rights reserved.
+# Copyright (c) 2011, 2016, Oracle and/or its affiliates. All rights reserved.
 #
 include ../../make-rules/shared-macros.mk
 
 COMPONENT_NAME=		isc-dhcp
 COMPONENT_VERSION=	4.1-ESV-R7
-IPS_COMPONENT_VERSION=	4.1.0.7
+HUMAN_VERSION=		$(COMPONENT_VERSION)-P1
+IPS_COMPONENT_VERSION=	4.1.0.7.1
 COMPONENT_SRC_NAME=	dhcp
 COMPONENT_SRC=		$(COMPONENT_SRC_NAME)-$(COMPONENT_VERSION)
 COMPONENT_ARCHIVE=	$(COMPONENT_SRC).tar.gz
--- a/components/isc-dhcp/dhcp.p5m	Fri Jan 15 15:23:59 2016 -0800
+++ b/components/isc-dhcp/dhcp.p5m	Tue Jan 19 14:07:25 2016 -0800
@@ -18,7 +18,7 @@
 #
 # CDDL HEADER END
 #
-# Copyright (c) 2011, 2015, Oracle and/or its affiliates. All rights reserved.
+# Copyright (c) 2011, 2016, Oracle and/or its affiliates. All rights reserved.
 #
 <transform file path=usr.*/man/.+ -> default mangler.man.stability uncommitted>
 set name=pkg.fmri \
@@ -27,6 +27,7 @@
 set name=pkg.description \
     value="ISC DHCP is open source software that implements the Dynamic Host Configuration Protocols for connection to a local network. This package includes the ISC DHCP server, relay agent and the omshell tool."
 set name=com.oracle.info.description value="the ISC DHCP Server and Relay Agent"
+set name=pkg.human-version value=$(HUMAN_VERSION)
 set name=com.oracle.info.tpno value=$(TPNO)
 set name=info.classification value=org.opensolaris.category.2008:System/Services
 set name=info.source-url value=$(COMPONENT_ARCHIVE_URL)
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/components/isc-dhcp/patches/001-ignore-client-uids.patch	Tue Jan 19 14:07:25 2016 -0800
@@ -0,0 +1,112 @@
+The following patch is adopted from ISC DHCP version 4.3.0.
+http://ftp.isc.org/isc/dhcp/4.3.0/dhcp-4.3.0.tar.gz
+
+--- dhcp-4.1-ESV-R7/server/stables.c.orig	Thu Aug 23 19:23:54 2012
++++ dhcp-4.1-ESV-R7/server/stables.c	Mon Apr 28 16:37:14 2014
[email protected]@ -244,6 +244,7 @@
+ 	{ "delayed-ack", "S",			&server_universe,  58, 1 },
+ 	{ "max-ack-delay", "L",			&server_universe,  59, 1 },
+ #endif
++	{ "ignore-client-uids", "f",		&server_universe,  60, 1 },
+ 	{ NULL, NULL, NULL, 0, 0 }
+ };
+ 
+--- dhcp-4.1-ESV-R7/server/dhcp.c.orig	Thu Aug 23 19:23:54 2012
++++ dhcp-4.1-ESV-R7/server/dhcp.c	Mon Apr 28 16:36:18 2014
[email protected]@ -2304,31 +2304,40 @@
+ 	/* Update Client Last Transaction Time. */
+ 	lt->cltt = cur_time;
+ 
+-	/* Record the uid, if given... */
+-	oc = lookup_option (&dhcp_universe, packet -> options,
+-			    DHO_DHCP_CLIENT_IDENTIFIER);
+-	if (oc &&
+-	    evaluate_option_cache (&d1, packet, lease,
+-				   (struct client_state *)0,
+-				   packet -> options, state -> options,
+-				   &lease -> scope, oc, MDL)) {
+-		if (d1.len <= sizeof lt -> uid_buf) {
+-			memcpy (lt -> uid_buf, d1.data, d1.len);
+-			lt -> uid = lt -> uid_buf;
+-			lt -> uid_max = sizeof lt -> uid_buf;
+-			lt -> uid_len = d1.len;
+-		} else {
+-			unsigned char *tuid;
+-			lt -> uid_max = d1.len;
+-			lt -> uid_len = d1.len;
+-			tuid = (unsigned char *)dmalloc (lt -> uid_max, MDL);
+-			/* XXX inelegant */
+-			if (!tuid)
+-				log_fatal ("no memory for large uid.");
+-			memcpy (tuid, d1.data, lt -> uid_len);
+-			lt -> uid = tuid;
++	/* See if we want to record the uid for this client */
++	oc = lookup_option(&server_universe, state->options,
++	    SV_IGNORE_CLIENT_UIDS);
++	if ((oc == NULL) ||
++	    !evaluate_boolean_option_cache(&ignorep, packet, lease, NULL,
++		packet->options, state->options,
++		&lease->scope, oc, MDL)) {
++
++		/* Record the uid, if given... */
++		oc = lookup_option (&dhcp_universe, packet -> options,
++		    DHO_DHCP_CLIENT_IDENTIFIER);
++		if (oc &&
++		    evaluate_option_cache (&d1, packet, lease,
++			(struct client_state *)0,
++			packet -> options, state -> options,
++			&lease -> scope, oc, MDL)) {
++			if (d1.len <= sizeof lt -> uid_buf) {
++				memcpy (lt -> uid_buf, d1.data, d1.len);
++				lt -> uid = lt -> uid_buf;
++				lt -> uid_max = sizeof lt -> uid_buf;
++				lt -> uid_len = d1.len;
++			} else {
++				unsigned char *tuid;
++				lt -> uid_max = d1.len;
++				lt -> uid_len = d1.len;
++				tuid = (unsigned char *)dmalloc (lt -> uid_max, MDL);
++				/* XXX inelegant */
++				if (!tuid)
++					log_fatal ("no memory for large uid.");
++				memcpy (tuid, d1.data, lt -> uid_len);
++				lt -> uid = tuid;
++			}
++			data_string_forget (&d1, MDL);
+ 		}
+-		data_string_forget (&d1, MDL);
+ 	}
+ 
+ 	if (host) {
+--- dhcp-4.1-ESV-R7/server/dhcpd.conf.5.orig	Wed May  7 18:37:36 2014
++++ dhcp-4.1-ESV-R7/server/dhcpd.conf.5	Wed May  7 18:38:46 2014
[email protected]@ -2302,6 +2302,19 @@
+ must be a constant value.
+ .RE
+ .PP
++The
++.I ignore-client-uids
++statement
++.RS 0.25i
++.PP
++.B ignore-client-uids \fIflag\fB;\fR
++.PP
++If the \fIignore-client-uids\fR statement is present and has a value of
++\fItrue\fR or \fIon\fR, the UID for clients will not be recorded.
++If this statement is not present or has a value of \fIfalse\fR or
++\fIoff\fR, then client UIDs will be recorded.
++.RE
++.PP
+ The
+ .I infinite-is-reserved
+ statement
+--- dhcp-4.1-ESV-R7/includes/dhcpd.h.orig	Thu Aug 23 19:23:53 2012
++++ dhcp-4.1-ESV-R7/includes/dhcpd.h	Mon Apr 28 16:11:17 2014
[email protected]@ -627,6 +627,7 @@
+ #define SV_LIMIT_PREFS_PER_IA		57
+ #define SV_DELAYED_ACK			58
+ #define SV_MAX_ACK_DELAY		59
++#define SV_IGNORE_CLIENT_UIDS		60
+ 
+ #if !defined (DEFAULT_PING_TIMEOUT)
+ # define DEFAULT_PING_TIMEOUT 1
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/components/isc-dhcp/patches/002-CVE-2015-8605.patch	Tue Jan 19 14:07:25 2016 -0800
@@ -0,0 +1,146 @@
+This patch was derived from ISC source differences between dhcp-4.1-ESV-R12
+and dhcp-4.1-ESV-R12-P1.
+
+--- old/./RELNOTES	Thu Jan  7 21:28:37 2016
++++ new/./RELNOTES	Thu Jan  7 21:28:37 2016
[email protected]@ -1,6 +1,6 @@
+ 	      Internet Systems Consortium DHCP Distribution
+-			    Version 4.1-ESV-R7
+-			     10 September 2012
++			    Version 4.1-ESV-R7-P1
++                              01 January 2016
+ 
+ 			      Release Notes
+ 
[email protected]@ -52,6 +52,13 @@
+ work on other platforms. Please report any problems and suggested fixes to
+ <[email protected]>.
+ 
++			Changes since 4.1-ESV-R7-P1
++
++! Update the bounds checking when receiving a packet.
++  Thanks to Sebastian Poehn from Sophos for the bug report and a suggested
++  patch.
++  [ISC-Bugs #41267]
++
+ 			Changes since 4.1-ESV-R6
+ 
+ - Existing legacy unit-tests have been migrated to Automated Test
+--- old/common/packet.c	Thu Jan  7 21:28:37 2016
++++ new/common/packet.c	Thu Jan  7 21:28:37 2016
[email protected]@ -220,7 +220,28 @@
+ 	}
+ }
+ 
+-/* UDP header and IP header decoded together for convenience. */
++/*!
++ *
++ * \brief UDP header and IP header decoded together for convenience.
++ *
++ * Attempt to decode the UDP and IP headers and, if necessary, checksum
++ * the packet.
++ *
++ * \param inteface - the interface on which the packet was recevied
++ * \param buf - a pointer to the buffer for the received packet
++ * \param bufix - where to start processing the buffer, previous
++ *                routines may have processed parts of the buffer already
++ * \param from - space to return the address of the packet sender
++ * \param buflen - remaining length of the buffer, this will have been
++ *                 decremented by bufix by the caller
++ * \param rbuflen - space to return the length of the payload from the udp
++ *                  header
++ * \param csum_ready - indication if the checksum is valid for use
++ *                     non-zero indicates the checksum should be validated
++ *
++ * \return - the index to the first byte of the udp payload (that is the
++ *           start of the DHCP packet
++ */
+ 
+ ssize_t
+ decode_udp_ip_header(struct interface_info *interface,
[email protected]@ -231,7 +252,7 @@
+   unsigned char *data;
+   struct ip ip;
+   struct udphdr udp;
+-  unsigned char *upp, *endbuf;
++  unsigned char *upp;
+   u_int32_t ip_len, ulen, pkt_len;
+   u_int32_t sum, usum;
+   static int ip_packets_seen;
[email protected]@ -242,11 +263,8 @@
+   static int udp_packets_length_overflow;
+   unsigned len;
+ 
+-  /* Designate the end of the input buffer for bounds checks. */
+-  endbuf = buf + bufix + buflen;
+-
+   /* Assure there is at least an IP header there. */
+-  if ((buf + bufix + sizeof(ip)) > endbuf)
++  if (sizeof(ip) > buflen)
+ 	  return -1;
+ 
+   /* Copy the IP header into a stack aligned structure for inspection.
[email protected]@ -258,13 +276,17 @@
+   ip_len = (*upp & 0x0f) << 2;
+   upp += ip_len;
+ 
+-  /* Check the IP packet length. */
++  /* Check packet lengths are within the buffer:
++   * first the ip header (ip_len)
++   * then the packet length from the ip header (pkt_len)
++   * then the udp header (ip_len + sizeof(udp)
++   * We are liberal in what we accept, the udp payload should fit within
++   * pkt_len, but we only check against the full buffer size.
++   */
+   pkt_len = ntohs(ip.ip_len);
+-  if (pkt_len > buflen)
+-	return -1;
+-
+-  /* Assure after ip_len bytes that there is enough room for a UDP header. */
+-  if ((upp + sizeof(udp)) > endbuf)
++  if ((ip_len > buflen) ||
++      (pkt_len > buflen) ||
++      ((ip_len + sizeof(udp)) > buflen))
+ 	  return -1;
+ 
+   /* Copy the UDP header into a stack aligned structure for inspection. */
[email protected]@ -285,7 +307,8 @@
+ 	return -1;
+ 
+   udp_packets_length_checked++;
+-  if ((upp + ulen) > endbuf) {
++  /* verify that the payload length from the udp packet fits in the buffer */
++  if ((ip_len + ulen) > buflen) {
+ 	udp_packets_length_overflow++;
+ 	if ((udp_packets_length_checked > 4) &&
+ 	    ((udp_packets_length_checked /
+--- old/./configure	Thu Jan  7 21:28:37 2016
++++ new/./configure	Thu Jan  7 21:28:37 2016
[email protected]@ -574,8 +574,8 @@
+ # Identity of this package.
+ PACKAGE_NAME='DHCP'
+ PACKAGE_TARNAME='dhcp'
+-PACKAGE_VERSION='4.1-ESV-R7'
+-PACKAGE_STRING='DHCP 4.1-ESV-R7'
++PACKAGE_VERSION='4.1-ESV-R7-P1'
++PACKAGE_STRING='DHCP 4.1-ESV-R7-P1'
+ PACKAGE_BUGREPORT='[email protected]'
+ 
+ # Factoring default headers for most tests.
[email protected]@ -2125,7 +2125,7 @@
+ 
+ # Define the identity of the package.
+  PACKAGE='dhcp'
+- VERSION='4.1-ESV-R7'
++ VERSION='4.1-ESV-R7-P1'
+ 
+ 
+ cat >>confdefs.h <<_ACEOF
+--- old/./configure.ac	Thu Jan  7 21:28:37 2016
++++ new/./configure.ac	Thu Jan  7 21:28:37 2016
[email protected]@ -1,4 +1,4 @@
+-AC_INIT([DHCP], [4.1-ESV-R7], [[email protected]])
++AC_INIT([DHCP], [4.1-ESV-R7-P1], [[email protected]])
+ 
+ # we specify "foreign" to avoid having to have the GNU mandated files,
+ # like AUTHORS, COPYING, and such
--- a/components/isc-dhcp/patches/ignore-client-uids.patch	Fri Jan 15 15:23:59 2016 -0800
+++ /dev/null	Thu Jan 01 00:00:00 1970 +0000
@@ -1,112 +0,0 @@
-The following patch is adopted from ISC DHCP version 4.3.0.
-http://ftp.isc.org/isc/dhcp/4.3.0/dhcp-4.3.0.tar.gz
-
---- dhcp-4.1-ESV-R7/server/stables.c.orig	Thu Aug 23 19:23:54 2012
-+++ dhcp-4.1-ESV-R7/server/stables.c	Mon Apr 28 16:37:14 2014
[email protected]@ -244,6 +244,7 @@
- 	{ "delayed-ack", "S",			&server_universe,  58, 1 },
- 	{ "max-ack-delay", "L",			&server_universe,  59, 1 },
- #endif
-+	{ "ignore-client-uids", "f",		&server_universe,  60, 1 },
- 	{ NULL, NULL, NULL, 0, 0 }
- };
- 
---- dhcp-4.1-ESV-R7/server/dhcp.c.orig	Thu Aug 23 19:23:54 2012
-+++ dhcp-4.1-ESV-R7/server/dhcp.c	Mon Apr 28 16:36:18 2014
[email protected]@ -2304,31 +2304,40 @@
- 	/* Update Client Last Transaction Time. */
- 	lt->cltt = cur_time;
- 
--	/* Record the uid, if given... */
--	oc = lookup_option (&dhcp_universe, packet -> options,
--			    DHO_DHCP_CLIENT_IDENTIFIER);
--	if (oc &&
--	    evaluate_option_cache (&d1, packet, lease,
--				   (struct client_state *)0,
--				   packet -> options, state -> options,
--				   &lease -> scope, oc, MDL)) {
--		if (d1.len <= sizeof lt -> uid_buf) {
--			memcpy (lt -> uid_buf, d1.data, d1.len);
--			lt -> uid = lt -> uid_buf;
--			lt -> uid_max = sizeof lt -> uid_buf;
--			lt -> uid_len = d1.len;
--		} else {
--			unsigned char *tuid;
--			lt -> uid_max = d1.len;
--			lt -> uid_len = d1.len;
--			tuid = (unsigned char *)dmalloc (lt -> uid_max, MDL);
--			/* XXX inelegant */
--			if (!tuid)
--				log_fatal ("no memory for large uid.");
--			memcpy (tuid, d1.data, lt -> uid_len);
--			lt -> uid = tuid;
-+	/* See if we want to record the uid for this client */
-+	oc = lookup_option(&server_universe, state->options,
-+	    SV_IGNORE_CLIENT_UIDS);
-+	if ((oc == NULL) ||
-+	    !evaluate_boolean_option_cache(&ignorep, packet, lease, NULL,
-+		packet->options, state->options,
-+		&lease->scope, oc, MDL)) {
-+
-+		/* Record the uid, if given... */
-+		oc = lookup_option (&dhcp_universe, packet -> options,
-+		    DHO_DHCP_CLIENT_IDENTIFIER);
-+		if (oc &&
-+		    evaluate_option_cache (&d1, packet, lease,
-+			(struct client_state *)0,
-+			packet -> options, state -> options,
-+			&lease -> scope, oc, MDL)) {
-+			if (d1.len <= sizeof lt -> uid_buf) {
-+				memcpy (lt -> uid_buf, d1.data, d1.len);
-+				lt -> uid = lt -> uid_buf;
-+				lt -> uid_max = sizeof lt -> uid_buf;
-+				lt -> uid_len = d1.len;
-+			} else {
-+				unsigned char *tuid;
-+				lt -> uid_max = d1.len;
-+				lt -> uid_len = d1.len;
-+				tuid = (unsigned char *)dmalloc (lt -> uid_max, MDL);
-+				/* XXX inelegant */
-+				if (!tuid)
-+					log_fatal ("no memory for large uid.");
-+				memcpy (tuid, d1.data, lt -> uid_len);
-+				lt -> uid = tuid;
-+			}
-+			data_string_forget (&d1, MDL);
- 		}
--		data_string_forget (&d1, MDL);
- 	}
- 
- 	if (host) {
---- dhcp-4.1-ESV-R7/server/dhcpd.conf.5.orig	Wed May  7 18:37:36 2014
-+++ dhcp-4.1-ESV-R7/server/dhcpd.conf.5	Wed May  7 18:38:46 2014
[email protected]@ -2302,6 +2302,19 @@
- must be a constant value.
- .RE
- .PP
-+The
-+.I ignore-client-uids
-+statement
-+.RS 0.25i
-+.PP
-+.B ignore-client-uids \fIflag\fB;\fR
-+.PP
-+If the \fIignore-client-uids\fR statement is present and has a value of
-+\fItrue\fR or \fIon\fR, the UID for clients will not be recorded.
-+If this statement is not present or has a value of \fIfalse\fR or
-+\fIoff\fR, then client UIDs will be recorded.
-+.RE
-+.PP
- The
- .I infinite-is-reserved
- statement
---- dhcp-4.1-ESV-R7/includes/dhcpd.h.orig	Thu Aug 23 19:23:53 2012
-+++ dhcp-4.1-ESV-R7/includes/dhcpd.h	Mon Apr 28 16:11:17 2014
[email protected]@ -627,6 +627,7 @@
- #define SV_LIMIT_PREFS_PER_IA		57
- #define SV_DELAYED_ACK			58
- #define SV_MAX_ACK_DELAY		59
-+#define SV_IGNORE_CLIENT_UIDS		60
- 
- #if !defined (DEFAULT_PING_TIMEOUT)
- # define DEFAULT_PING_TIMEOUT 1