Bug 1102662

Summary: dhcpd/dhcrelay segfault if interface name is longer than IFNAMSIZ
Product: Red Hat Enterprise Linux 6 Reporter: Jiri Popelka <jpopelka>
Component: dhcpAssignee: Jiri Popelka <jpopelka>
Status: CLOSED ERRATA QA Contact: Release Test Team <release-test-team-automation>
Severity: medium Docs Contact:
Priority: medium    
Version: 6.5CC: ljozsa, mganisin, ovasik
Target Milestone: rcKeywords: Patch
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: dhcp-4.1.1-43.P1.el6 Doc Type: Bug Fix
Doc Text:
Cause: When starting dhcpd or dhcrelay user specifies name of network interface which is longer than 15 characters. Consequence: dhcpd/dhcrealy crash with: "*** buffer overflow detected ***" Fix: Patch was back-ported. Result: dhcpd/dhcrelay exit gracefully with message: "interface name too long"
 Story Points: ---
Clone Of: Environment:
Last Closed: 2014-10-14 04:31:43 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1083985    
Attachments:
Description Flags
fixed IFNAMSIZ.patch none

Description Jiri Popelka 2014-05-29 12:08:44 UTC 
Problem discovered by Ladislav Józsa.

Steps to Reproduce:
1. dhcpd -d eth1eth1eth1eth1

Actual results:
*** buffer overflow detected ***: dhcpd terminated

Expected results:
eth1eth1eth1eth1: interface name too long

Additional info:
This was supposed to be fixed with bug #441524, comment #3,
but I'm not sure how the patch could have ever worked when the copied string is not null-terminated. It needs also
  tmp->name[sizeof(tmp->name) - 1]= '\0';

Anyway, upstream's approach is to check the length beforehand and exit if it's too long, see attached patch (which fixes also dhcrelay, dhclient is ok).
Comment 1 Jiri Popelka 2014-05-29 12:09:15 UTC 
Created attachment 900331 [details]
fixed IFNAMSIZ.patch
Comment 6 errata-xmlrpc 2014-10-14 04:31:43 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2014-1406.html