Attachment 612210 Details for Bug 856766 – fix derived from upstream dhcp-4.2.4-P2

[patch] fix derived from upstream dhcp-4.2.4-P2

dhcp-CVE-2012-3955.patch (text/plain), 7.34 KB, created by Vincent Danen on 2012-09-12 18:53:37 UTC

(hide)

Description:

Filename:

MIME Type:

Creator: Vincent Danen

Created: 2012-09-12 18:53:37 UTC

Size: 7.34 KB

patch

obsolete

>diff -pruN dhcp-4.2.4-P1/RELNOTES dhcp-4.2.4-P2/RELNOTES
>--- dhcp-4.2.4-P1/RELNOTES	2012-07-13 00:18:05.000000000 -0600
>+++ dhcp-4.2.4-P2/RELNOTES	2012-08-27 20:15:33.000000000 -0600
>@@ -39,6 +39,15 @@ The system has only been tested on Linux
> work on other platforms. Please report any problems and suggested fixes to
> <dhcp-users@isc.org>.
> 
>+			Changes since 4.2.4-P1
>+
>+! An issue with the use of lease times was found and fixed.  Making
>+  certain changes to the end time of an IPv6 lease could cause the
>+  server to abort.  Thanks to Glen Eustace of Massey University,
>+  New Zealand for finding this issue.
>+  [ISC-Bugs #30281]
>+  CVE: CVE-2012-3955
>+
> 			Changes since 4.2.4
> 
> ! Previously the server code was relaxed to allow packets with zero
>diff -pruN dhcp-4.2.4-P1/server/dhcpv6.c dhcp-4.2.4-P2/server/dhcpv6.c
>--- dhcp-4.2.4-P1/server/dhcpv6.c	2012-07-13 00:18:05.000000000 -0600
>+++ dhcp-4.2.4-P2/server/dhcpv6.c	2012-08-27 20:13:22.000000000 -0600
>@@ -1837,9 +1837,6 @@ reply_process_ia_na(struct reply_state *
> 			ia_reference(&tmp->ia, reply->ia, MDL);
> 
> 			/* Commit 'hard' bindings. */
>-			tmp->hard_lifetime_end_time =
>-				tmp->soft_lifetime_end_time;
>-			tmp->soft_lifetime_end_time = 0;
> 			renew_lease6(tmp->ipv6_pool, tmp);
> 			schedule_lease_timeout(tmp->ipv6_pool);
> 
>@@ -2498,9 +2495,6 @@ reply_process_ia_ta(struct reply_state *
> 			ia_reference(&tmp->ia, reply->ia, MDL);
> 
> 			/* Commit 'hard' bindings. */
>-			tmp->hard_lifetime_end_time =
>-				tmp->soft_lifetime_end_time;
>-			tmp->soft_lifetime_end_time = 0;
> 			renew_lease6(tmp->ipv6_pool, tmp);
> 			schedule_lease_timeout(tmp->ipv6_pool);
> 
>@@ -3370,9 +3364,6 @@ reply_process_ia_pd(struct reply_state *
> 			ia_reference(&tmp->ia, reply->ia, MDL);
> 
> 			/* Commit 'hard' bindings. */
>-			tmp->hard_lifetime_end_time =
>-				tmp->soft_lifetime_end_time;
>-			tmp->soft_lifetime_end_time = 0;
> 			renew_lease6(tmp->ipv6_pool, tmp);
> 			schedule_lease_timeout(tmp->ipv6_pool);
> 		}
>diff -pruN dhcp-4.2.4-P1/server/mdb6.c dhcp-4.2.4-P2/server/mdb6.c
>--- dhcp-4.2.4-P1/server/mdb6.c	2012-07-13 00:17:54.000000000 -0600
>+++ dhcp-4.2.4-P2/server/mdb6.c	2012-08-27 20:13:22.000000000 -0600
>@@ -26,24 +26,26 @@
>  * A brief description of the IPv6 structures as reverse engineered.
>  *
>  * There are three major data strucutes involved in the database:
>- * ipv6_pool - this contains information about a pool of addresses or prefixes
>+ *
>+ * - ipv6_pool - this contains information about a pool of addresses or prefixes
>  *             that the server is using.  This includes a hash table that
>  *             tracks the active items and a pair of heap tables one for
>  *             active items and one for non-active items.  The heap tables
>  *             are used to determine the next items to be modified due to
>  *             timing events (expire mostly).
>- * ia_xx     - this contains information about a single IA from a request
>+ * - ia_xx   - this contains information about a single IA from a request
>  *             normally it will contain one pointer to a lease for the client
>  *             but it may contain more in some circumstances.  There are 3
>- *             hash tables to aid in accessing these one each for NA, TA and PD
>- * iasubopt  - the v6 lease structure.  These are creaeted dynamically when
>+ *             hash tables to aid in accessing these one each for NA, TA and PD.
>+ * - iasubopt- the v6 lease structure.  These are created dynamically when
>  *             a client asks for something and will eventually be destroyed
>  *             if the client doesn't re-ask for that item.  A lease has space
>  *             for backpointers to the IA and to the pool to which it belongs.
>- *             The pool backpointer is always filled, the IA pointer may not be
>+ *             The pool backpointer is always filled, the IA pointer may not be.
>  *
>  * In normal use we then have something like this:
>  *
>+ * \verbatim
>  * ia hash tables
>  *  ia_na_active                           +----------------+
>  *  ia_ta_active          +------------+   | pool           |
>@@ -53,6 +55,7 @@
>  * |  iasubopt array |<---|  iaptr     |<--|  inactive heap |
>  * |   lease ptr     |--->|            |   |                |
>  * +-----------------+    +------------+   +----------------+
>+ * \endverbatim
>  *
>  * For the pool either the inactive heap will have a pointer
>  * or both the active heap and the active hash will have pointers.
>@@ -934,7 +937,7 @@ create_lease6(struct ipv6_pool *pool, st
> }
> 
> 
>-/*! \file server/mdb6.c
>+/*!
>  *
>  * \brief Cleans up leases when reading from a lease file
>  *
>@@ -1235,29 +1238,49 @@ move_lease_to_active(struct ipv6_pool *p
> 	return insert_result;
> }
> 
>-/*
>- * Renew an lease in the pool.
>+/*!
>+ * \brief Renew a lease in the pool.
>+ *
>+ * The hard_lifetime_end_time of the lease should be set to
>+ * the current expiration time.
>+ * The soft_lifetime_end_time of the lease should be set to
>+ * the desired expiration time.
>+ *
>+ * This routine will compare the two and call the correct
>+ * heap routine to move the lease.  If the lease is active
>+ * and the new expiration time is greater (the normal case)
>+ * then we call isc_heap_decreased() as a larger time is a
>+ * lower priority.  If the new expiration time is less then
>+ * we call isc_heap_increased().
>+ *
>+ * If the lease is abandoned then it will be on the active list
>+ * and we will always call isc_heap_increased() as the previous
>+ * expiration would have been all 1s (as close as we can get
>+ * to infinite).
>+ *
>+ * If the lease is moving to active we call that routine
>+ * which will move it from the inactive list to the active list.
>  *
>- * To do this, first set the new hard_lifetime_end_time for the resource,
>- * and then invoke renew_lease6() on it.
>+ * \param pool a pool the lease belongs to
>+ * \param lease the lease to be renewed
>  *
>- * WARNING: lease times must only be extended, never reduced!!!
>+ * \return result of the renew operation (ISC_R_SUCCESS if successful,
>+           ISC_R_NOMEMORY when run out of memory)
>  */
> isc_result_t
> renew_lease6(struct ipv6_pool *pool, struct iasubopt *lease) {
>-	/*
>-	 * If we're already active, then we can just move our expiration
>-	 * time down the heap. 
>-	 *
>-	 * If we're abandoned then we are already on the active list
>-	 * but we need to retag the lease and move our expiration
>-	 * from infinite to the current value
>-	 *
>-	 * Otherwise, we have to move from the inactive heap to the 
>-	 * active heap.
>-	 */
>+	time_t old_end_time = lease->hard_lifetime_end_time;
>+	lease->hard_lifetime_end_time = lease->soft_lifetime_end_time;
>+	lease->soft_lifetime_end_time = 0;
>+
> 	if (lease->state == FTS_ACTIVE) {
>-		isc_heap_decreased(pool->active_timeouts, lease->heap_index);
>+		if (old_end_time <= lease->hard_lifetime_end_time) {
>+			isc_heap_decreased(pool->active_timeouts,
>+					   lease->heap_index);
>+		} else {
>+			isc_heap_increased(pool->active_timeouts,
>+					   lease->heap_index);
>+		}
> 		return ISC_R_SUCCESS;
> 	} else if (lease->state == FTS_ABANDONED) {
> 		char tmp_addr[INET6_ADDRSTRLEN];
>@@ -1920,9 +1943,8 @@ change_leases(struct ia_xx *ia, 
> /*
>  * Renew all leases in an IA from all pools.
>  *
>- * The new hard_lifetime_end_time should be updated for the addresses/prefixes.
>- *
>- * WARNING: lease times must only be extended, never reduced!!!
>+ * The new lifetime should be in the soft_lifetime_end_time
>+ * and will be moved to hard_lifetime_end_time by renew_lease6.
>  */
> isc_result_t 
> renew_leases(struct ia_xx *ia) {

Actions: View | Diff

Attachments on bug 856766: 612210 | 613622