22501693 problem in SERVICE/DHCP-SERVER
22517767 Upgrade Solaris' DHCP to version 4.1-ESV-R7-P1
--- a/components/isc-dhcp/Makefile Fri Jan 15 15:23:59 2016 -0800
+++ b/components/isc-dhcp/Makefile Tue Jan 19 14:07:25 2016 -0800
@@ -18,13 +18,14 @@
#
# CDDL HEADER END
#
-# Copyright (c) 2011, 2015, Oracle and/or its affiliates. All rights reserved.
+# Copyright (c) 2011, 2016, Oracle and/or its affiliates. All rights reserved.
#
include ../../make-rules/shared-macros.mk
COMPONENT_NAME= isc-dhcp
COMPONENT_VERSION= 4.1-ESV-R7
-IPS_COMPONENT_VERSION= 4.1.0.7
+HUMAN_VERSION= $(COMPONENT_VERSION)-P1
+IPS_COMPONENT_VERSION= 4.1.0.7.1
COMPONENT_SRC_NAME= dhcp
COMPONENT_SRC= $(COMPONENT_SRC_NAME)-$(COMPONENT_VERSION)
COMPONENT_ARCHIVE= $(COMPONENT_SRC).tar.gz
--- a/components/isc-dhcp/dhcp.p5m Fri Jan 15 15:23:59 2016 -0800
+++ b/components/isc-dhcp/dhcp.p5m Tue Jan 19 14:07:25 2016 -0800
@@ -18,7 +18,7 @@
#
# CDDL HEADER END
#
-# Copyright (c) 2011, 2015, Oracle and/or its affiliates. All rights reserved.
+# Copyright (c) 2011, 2016, Oracle and/or its affiliates. All rights reserved.
#
<transform file path=usr.*/man/.+ -> default mangler.man.stability uncommitted>
set name=pkg.fmri \
@@ -27,6 +27,7 @@
set name=pkg.description \
value="ISC DHCP is open source software that implements the Dynamic Host Configuration Protocols for connection to a local network. This package includes the ISC DHCP server, relay agent and the omshell tool."
set name=com.oracle.info.description value="the ISC DHCP Server and Relay Agent"
+set name=pkg.human-version value=$(HUMAN_VERSION)
set name=com.oracle.info.tpno value=$(TPNO)
set name=info.classification value=org.opensolaris.category.2008:System/Services
set name=info.source-url value=$(COMPONENT_ARCHIVE_URL)
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/components/isc-dhcp/patches/001-ignore-client-uids.patch Tue Jan 19 14:07:25 2016 -0800
@@ -0,0 +1,112 @@
+The following patch is adopted from ISC DHCP version 4.3.0.
+http://ftp.isc.org/isc/dhcp/4.3.0/dhcp-4.3.0.tar.gz
+
+--- dhcp-4.1-ESV-R7/server/stables.c.orig Thu Aug 23 19:23:54 2012
++++ dhcp-4.1-ESV-R7/server/stables.c Mon Apr 28 16:37:14 2014
+@@ -244,6 +244,7 @@
+ { "delayed-ack", "S", &server_universe, 58, 1 },
+ { "max-ack-delay", "L", &server_universe, 59, 1 },
+ #endif
++ { "ignore-client-uids", "f", &server_universe, 60, 1 },
+ { NULL, NULL, NULL, 0, 0 }
+ };
+
+--- dhcp-4.1-ESV-R7/server/dhcp.c.orig Thu Aug 23 19:23:54 2012
++++ dhcp-4.1-ESV-R7/server/dhcp.c Mon Apr 28 16:36:18 2014
+@@ -2304,31 +2304,40 @@
+ /* Update Client Last Transaction Time. */
+ lt->cltt = cur_time;
+
+- /* Record the uid, if given... */
+- oc = lookup_option (&dhcp_universe, packet -> options,
+- DHO_DHCP_CLIENT_IDENTIFIER);
+- if (oc &&
+- evaluate_option_cache (&d1, packet, lease,
+- (struct client_state *)0,
+- packet -> options, state -> options,
+- &lease -> scope, oc, MDL)) {
+- if (d1.len <= sizeof lt -> uid_buf) {
+- memcpy (lt -> uid_buf, d1.data, d1.len);
+- lt -> uid = lt -> uid_buf;
+- lt -> uid_max = sizeof lt -> uid_buf;
+- lt -> uid_len = d1.len;
+- } else {
+- unsigned char *tuid;
+- lt -> uid_max = d1.len;
+- lt -> uid_len = d1.len;
+- tuid = (unsigned char *)dmalloc (lt -> uid_max, MDL);
+- /* XXX inelegant */
+- if (!tuid)
+- log_fatal ("no memory for large uid.");
+- memcpy (tuid, d1.data, lt -> uid_len);
+- lt -> uid = tuid;
++ /* See if we want to record the uid for this client */
++ oc = lookup_option(&server_universe, state->options,
++ SV_IGNORE_CLIENT_UIDS);
++ if ((oc == NULL) ||
++ !evaluate_boolean_option_cache(&ignorep, packet, lease, NULL,
++ packet->options, state->options,
++ &lease->scope, oc, MDL)) {
++
++ /* Record the uid, if given... */
++ oc = lookup_option (&dhcp_universe, packet -> options,
++ DHO_DHCP_CLIENT_IDENTIFIER);
++ if (oc &&
++ evaluate_option_cache (&d1, packet, lease,
++ (struct client_state *)0,
++ packet -> options, state -> options,
++ &lease -> scope, oc, MDL)) {
++ if (d1.len <= sizeof lt -> uid_buf) {
++ memcpy (lt -> uid_buf, d1.data, d1.len);
++ lt -> uid = lt -> uid_buf;
++ lt -> uid_max = sizeof lt -> uid_buf;
++ lt -> uid_len = d1.len;
++ } else {
++ unsigned char *tuid;
++ lt -> uid_max = d1.len;
++ lt -> uid_len = d1.len;
++ tuid = (unsigned char *)dmalloc (lt -> uid_max, MDL);
++ /* XXX inelegant */
++ if (!tuid)
++ log_fatal ("no memory for large uid.");
++ memcpy (tuid, d1.data, lt -> uid_len);
++ lt -> uid = tuid;
++ }
++ data_string_forget (&d1, MDL);
+ }
+- data_string_forget (&d1, MDL);
+ }
+
+ if (host) {
+--- dhcp-4.1-ESV-R7/server/dhcpd.conf.5.orig Wed May 7 18:37:36 2014
++++ dhcp-4.1-ESV-R7/server/dhcpd.conf.5 Wed May 7 18:38:46 2014
+@@ -2302,6 +2302,19 @@
+ must be a constant value.
+ .RE
+ .PP
++The
++.I ignore-client-uids
++statement
++.RS 0.25i
++.PP
++.B ignore-client-uids \fIflag\fB;\fR
++.PP
++If the \fIignore-client-uids\fR statement is present and has a value of
++\fItrue\fR or \fIon\fR, the UID for clients will not be recorded.
++If this statement is not present or has a value of \fIfalse\fR or
++\fIoff\fR, then client UIDs will be recorded.
++.RE
++.PP
+ The
+ .I infinite-is-reserved
+ statement
+--- dhcp-4.1-ESV-R7/includes/dhcpd.h.orig Thu Aug 23 19:23:53 2012
++++ dhcp-4.1-ESV-R7/includes/dhcpd.h Mon Apr 28 16:11:17 2014
+@@ -627,6 +627,7 @@
+ #define SV_LIMIT_PREFS_PER_IA 57
+ #define SV_DELAYED_ACK 58
+ #define SV_MAX_ACK_DELAY 59
++#define SV_IGNORE_CLIENT_UIDS 60
+
+ #if !defined (DEFAULT_PING_TIMEOUT)
+ # define DEFAULT_PING_TIMEOUT 1
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/components/isc-dhcp/patches/002-CVE-2015-8605.patch Tue Jan 19 14:07:25 2016 -0800
@@ -0,0 +1,146 @@
+This patch was derived from ISC source differences between dhcp-4.1-ESV-R12
+and dhcp-4.1-ESV-R12-P1.
+
+--- old/./RELNOTES Thu Jan 7 21:28:37 2016
++++ new/./RELNOTES Thu Jan 7 21:28:37 2016
+@@ -1,6 +1,6 @@
+ Internet Systems Consortium DHCP Distribution
+- Version 4.1-ESV-R7
+- 10 September 2012
++ Version 4.1-ESV-R7-P1
++ 01 January 2016
+
+ Release Notes
+
+@@ -52,6 +52,13 @@
+ work on other platforms. Please report any problems and suggested fixes to
+ <[email protected]>.
+
++ Changes since 4.1-ESV-R7-P1
++
++! Update the bounds checking when receiving a packet.
++ Thanks to Sebastian Poehn from Sophos for the bug report and a suggested
++ patch.
++ [ISC-Bugs #41267]
++
+ Changes since 4.1-ESV-R6
+
+ - Existing legacy unit-tests have been migrated to Automated Test
+--- old/common/packet.c Thu Jan 7 21:28:37 2016
++++ new/common/packet.c Thu Jan 7 21:28:37 2016
+@@ -220,7 +220,28 @@
+ }
+ }
+
+-/* UDP header and IP header decoded together for convenience. */
++/*!
++ *
++ * \brief UDP header and IP header decoded together for convenience.
++ *
++ * Attempt to decode the UDP and IP headers and, if necessary, checksum
++ * the packet.
++ *
++ * \param inteface - the interface on which the packet was recevied
++ * \param buf - a pointer to the buffer for the received packet
++ * \param bufix - where to start processing the buffer, previous
++ * routines may have processed parts of the buffer already
++ * \param from - space to return the address of the packet sender
++ * \param buflen - remaining length of the buffer, this will have been
++ * decremented by bufix by the caller
++ * \param rbuflen - space to return the length of the payload from the udp
++ * header
++ * \param csum_ready - indication if the checksum is valid for use
++ * non-zero indicates the checksum should be validated
++ *
++ * \return - the index to the first byte of the udp payload (that is the
++ * start of the DHCP packet
++ */
+
+ ssize_t
+ decode_udp_ip_header(struct interface_info *interface,
+@@ -231,7 +252,7 @@
+ unsigned char *data;
+ struct ip ip;
+ struct udphdr udp;
+- unsigned char *upp, *endbuf;
++ unsigned char *upp;
+ u_int32_t ip_len, ulen, pkt_len;
+ u_int32_t sum, usum;
+ static int ip_packets_seen;
+@@ -242,11 +263,8 @@
+ static int udp_packets_length_overflow;
+ unsigned len;
+
+- /* Designate the end of the input buffer for bounds checks. */
+- endbuf = buf + bufix + buflen;
+-
+ /* Assure there is at least an IP header there. */
+- if ((buf + bufix + sizeof(ip)) > endbuf)
++ if (sizeof(ip) > buflen)
+ return -1;
+
+ /* Copy the IP header into a stack aligned structure for inspection.
+@@ -258,13 +276,17 @@
+ ip_len = (*upp & 0x0f) << 2;
+ upp += ip_len;
+
+- /* Check the IP packet length. */
++ /* Check packet lengths are within the buffer:
++ * first the ip header (ip_len)
++ * then the packet length from the ip header (pkt_len)
++ * then the udp header (ip_len + sizeof(udp)
++ * We are liberal in what we accept, the udp payload should fit within
++ * pkt_len, but we only check against the full buffer size.
++ */
+ pkt_len = ntohs(ip.ip_len);
+- if (pkt_len > buflen)
+- return -1;
+-
+- /* Assure after ip_len bytes that there is enough room for a UDP header. */
+- if ((upp + sizeof(udp)) > endbuf)
++ if ((ip_len > buflen) ||
++ (pkt_len > buflen) ||
++ ((ip_len + sizeof(udp)) > buflen))
+ return -1;
+
+ /* Copy the UDP header into a stack aligned structure for inspection. */
+@@ -285,7 +307,8 @@
+ return -1;
+
+ udp_packets_length_checked++;
+- if ((upp + ulen) > endbuf) {
++ /* verify that the payload length from the udp packet fits in the buffer */
++ if ((ip_len + ulen) > buflen) {
+ udp_packets_length_overflow++;
+ if ((udp_packets_length_checked > 4) &&
+ ((udp_packets_length_checked /
+--- old/./configure Thu Jan 7 21:28:37 2016
++++ new/./configure Thu Jan 7 21:28:37 2016
+@@ -574,8 +574,8 @@
+ # Identity of this package.
+ PACKAGE_NAME='DHCP'
+ PACKAGE_TARNAME='dhcp'
+-PACKAGE_VERSION='4.1-ESV-R7'
+-PACKAGE_STRING='DHCP 4.1-ESV-R7'
++PACKAGE_VERSION='4.1-ESV-R7-P1'
++PACKAGE_STRING='DHCP 4.1-ESV-R7-P1'
+ PACKAGE_BUGREPORT='[email protected]'
+
+ # Factoring default headers for most tests.
+@@ -2125,7 +2125,7 @@
+
+ # Define the identity of the package.
+ PACKAGE='dhcp'
+- VERSION='4.1-ESV-R7'
++ VERSION='4.1-ESV-R7-P1'
+
+
+ cat >>confdefs.h <<_ACEOF
+--- old/./configure.ac Thu Jan 7 21:28:37 2016
++++ new/./configure.ac Thu Jan 7 21:28:37 2016
+@@ -1,4 +1,4 @@
+-AC_INIT([DHCP], [4.1-ESV-R7], [[email protected]])
++AC_INIT([DHCP], [4.1-ESV-R7-P1], [[email protected]])
+
+ # we specify "foreign" to avoid having to have the GNU mandated files,
+ # like AUTHORS, COPYING, and such
--- a/components/isc-dhcp/patches/ignore-client-uids.patch Fri Jan 15 15:23:59 2016 -0800
+++ /dev/null Thu Jan 01 00:00:00 1970 +0000
@@ -1,112 +0,0 @@
-The following patch is adopted from ISC DHCP version 4.3.0.
-http://ftp.isc.org/isc/dhcp/4.3.0/dhcp-4.3.0.tar.gz
-
---- dhcp-4.1-ESV-R7/server/stables.c.orig Thu Aug 23 19:23:54 2012
-+++ dhcp-4.1-ESV-R7/server/stables.c Mon Apr 28 16:37:14 2014
-@@ -244,6 +244,7 @@
- { "delayed-ack", "S", &server_universe, 58, 1 },
- { "max-ack-delay", "L", &server_universe, 59, 1 },
- #endif
-+ { "ignore-client-uids", "f", &server_universe, 60, 1 },
- { NULL, NULL, NULL, 0, 0 }
- };
-
---- dhcp-4.1-ESV-R7/server/dhcp.c.orig Thu Aug 23 19:23:54 2012
-+++ dhcp-4.1-ESV-R7/server/dhcp.c Mon Apr 28 16:36:18 2014
-@@ -2304,31 +2304,40 @@
- /* Update Client Last Transaction Time. */
- lt->cltt = cur_time;
-
-- /* Record the uid, if given... */
-- oc = lookup_option (&dhcp_universe, packet -> options,
-- DHO_DHCP_CLIENT_IDENTIFIER);
-- if (oc &&
-- evaluate_option_cache (&d1, packet, lease,
-- (struct client_state *)0,
-- packet -> options, state -> options,
-- &lease -> scope, oc, MDL)) {
-- if (d1.len <= sizeof lt -> uid_buf) {
-- memcpy (lt -> uid_buf, d1.data, d1.len);
-- lt -> uid = lt -> uid_buf;
-- lt -> uid_max = sizeof lt -> uid_buf;
-- lt -> uid_len = d1.len;
-- } else {
-- unsigned char *tuid;
-- lt -> uid_max = d1.len;
-- lt -> uid_len = d1.len;
-- tuid = (unsigned char *)dmalloc (lt -> uid_max, MDL);
-- /* XXX inelegant */
-- if (!tuid)
-- log_fatal ("no memory for large uid.");
-- memcpy (tuid, d1.data, lt -> uid_len);
-- lt -> uid = tuid;
-+ /* See if we want to record the uid for this client */
-+ oc = lookup_option(&server_universe, state->options,
-+ SV_IGNORE_CLIENT_UIDS);
-+ if ((oc == NULL) ||
-+ !evaluate_boolean_option_cache(&ignorep, packet, lease, NULL,
-+ packet->options, state->options,
-+ &lease->scope, oc, MDL)) {
-+
-+ /* Record the uid, if given... */
-+ oc = lookup_option (&dhcp_universe, packet -> options,
-+ DHO_DHCP_CLIENT_IDENTIFIER);
-+ if (oc &&
-+ evaluate_option_cache (&d1, packet, lease,
-+ (struct client_state *)0,
-+ packet -> options, state -> options,
-+ &lease -> scope, oc, MDL)) {
-+ if (d1.len <= sizeof lt -> uid_buf) {
-+ memcpy (lt -> uid_buf, d1.data, d1.len);
-+ lt -> uid = lt -> uid_buf;
-+ lt -> uid_max = sizeof lt -> uid_buf;
-+ lt -> uid_len = d1.len;
-+ } else {
-+ unsigned char *tuid;
-+ lt -> uid_max = d1.len;
-+ lt -> uid_len = d1.len;
-+ tuid = (unsigned char *)dmalloc (lt -> uid_max, MDL);
-+ /* XXX inelegant */
-+ if (!tuid)
-+ log_fatal ("no memory for large uid.");
-+ memcpy (tuid, d1.data, lt -> uid_len);
-+ lt -> uid = tuid;
-+ }
-+ data_string_forget (&d1, MDL);
- }
-- data_string_forget (&d1, MDL);
- }
-
- if (host) {
---- dhcp-4.1-ESV-R7/server/dhcpd.conf.5.orig Wed May 7 18:37:36 2014
-+++ dhcp-4.1-ESV-R7/server/dhcpd.conf.5 Wed May 7 18:38:46 2014
-@@ -2302,6 +2302,19 @@
- must be a constant value.
- .RE
- .PP
-+The
-+.I ignore-client-uids
-+statement
-+.RS 0.25i
-+.PP
-+.B ignore-client-uids \fIflag\fB;\fR
-+.PP
-+If the \fIignore-client-uids\fR statement is present and has a value of
-+\fItrue\fR or \fIon\fR, the UID for clients will not be recorded.
-+If this statement is not present or has a value of \fIfalse\fR or
-+\fIoff\fR, then client UIDs will be recorded.
-+.RE
-+.PP
- The
- .I infinite-is-reserved
- statement
---- dhcp-4.1-ESV-R7/includes/dhcpd.h.orig Thu Aug 23 19:23:53 2012
-+++ dhcp-4.1-ESV-R7/includes/dhcpd.h Mon Apr 28 16:11:17 2014
-@@ -627,6 +627,7 @@
- #define SV_LIMIT_PREFS_PER_IA 57
- #define SV_DELAYED_ACK 58
- #define SV_MAX_ACK_DELAY 59
-+#define SV_IGNORE_CLIENT_UIDS 60
-
- #if !defined (DEFAULT_PING_TIMEOUT)
- # define DEFAULT_PING_TIMEOUT 1