Bug 441524
| Summary: | dhcpd segfaults if interface name is longer than IFNAMSIZ | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 5 | Reporter: | Ronan Waide <waider> |
| Component: | dhcp | Assignee: | David Cantrell <dcantrell> |
| Status: | CLOSED ERRATA | QA Contact: | Alexander Todorov <atodorov> |
| Severity: | low | Docs Contact: | |
| Priority: | low | ||
| Version: | 5.1 | CC: | atodorov, borgan |
| Target Milestone: | rc | ||
| Target Release: | --- | ||
| Hardware: | i386 | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2009-09-02 10:13:06 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
|
Description
Ronan Waide
2008-04-08 15:54:51 UTC
(In reply to comment #0) > 1. /usr/sbin/dhcpd -t /fooooooooooooooooooooooooooooooooooooooooooooooooooooooooo This syntax causes dhcpd to test the default dhcpd.conf file (/etc/dhcpd.conf) for correctness. The last argument on the dhcpd command line is the network interface to bind to, such as eth0. If you want to specify a different configuration file, you need to use the -cf argument, such as: /usr/sbin/dhcpd -t -cf /i/like/free/books/from/amazon Still, your report is valid. It shouldn't segfault on what you specified either. It should report /fooooooooooooooooooooooooooooooooooooooooooooooooooooooooo as an invalid interface name and quit. This would be the offending code: ---------- struct interface_info *tmp = (struct interface_info *)0; result = interface_allocate (&tmp, MDL); if (result != ISC_R_SUCCESS) log_fatal ("Insufficient memory to %s %s: %s", "record interface", argv [i], isc_result_totext (result)); strcpy (tmp -> name, argv [i]); if (interfaces) { interface_reference (&tmp -> next, interfaces, MDL); interface_dereference (&interfaces, MDL); } interface_reference (&interfaces, tmp, MDL); tmp -> flags = INTERFACE_REQUESTED; ---------- Before the strcpy(), some sanity checking should be done on argv[i] to make sure you are providing a legal interface name. I can think of a number of ways to validate the interface name. 1) Read /proc/net/dev and compare the argv[i] name to the names in the list. If we find the name, continue, otherwise fail. 2) Try to read ETHTOOL settings via ioctl() for the argv[i] interface. If it succeeds, continue, otherwise fail. Flagging as something to fix for RHEL 5.4. Filed upstream as ISC-Bugs #19617
Simplest fix:
diff -up dhcp-3.0.5/server/dhcpd.c.IFNAMSIZ dhcp-3.0.5/server/dhcpd.c
--- dhcp-3.0.5/server/dhcpd.c.IFNAMSIZ 2009-04-20 15:35:32.000000000 -1000
+++ dhcp-3.0.5/server/dhcpd.c 2009-04-20 15:37:21.000000000 -1000
@@ -341,7 +341,7 @@ int main (argc, argv, envp)
log_fatal ("Insufficient memory to %s %s: %s",
"record interface", argv [i],
isc_result_totext (result));
- strcpy (tmp -> name, argv [i]);
+ strncpy (tmp -> name, argv [i], sizeof(tmp->name));
if (interfaces) {
interface_reference (&tmp -> next,
interfaces, MDL);
Will be in dhcp-3.0.5-20.el5 and later builds.
with dhcp-3.0.5-21.el5 /usr/sbin/dhcpd -t /fooooooooooooooooooooooooooooooooooooooooooooooooooooooooo doesn't segfault and exits with exit code 1. moving to VERIFIED. An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on therefore solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHBA-2009-1331.html |