Bug 189529 - memory corruption on receipt of single-byte non-ascii value hex string options
memory corruption on receipt of single-byte non-ascii value hex string options
Status: CLOSED CURRENTRELEASE
Product: Fedora
Classification: Fedora
Component: dhcdbd (Show other bugs)
rawhide
All Linux
medium Severity medium
: ---
: ---
Assigned To: Jason Vas Dias
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2006-04-20 15:03 EDT by Jason Vas Dias
Modified: 2007-11-30 17:11 EST (History)
0 users

See Also:
Fixed In Version: dhcdbd-1.14
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2006-04-20 16:29:48 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Jason Vas Dias 2006-04-20 15:03:20 EDT
Description of problem:

When a dhcp "hex string" (type 'X') option with a single byte value that is
not NVT-ASCII ( is < 32 or > 127 ) is received by dhcdbd, it could incorrectly
interpret it as an ASCII value, and cause potential memory corruption, as
reported by Florian Hackenberger<florian@hackenberger.at> as occurring under
valgrind on his Gentoo system:
<
lease {
  interface "eth1";
  fixed-address 192.168.1.3;
  option subnet-mask 255.255.255.0;
  option routers 192.168.1.1;
  option dhcp-lease-time 86400;
  option dhcp-message-type 5;
  option dhcp-server-identifier 192.168.1.1;
  option domain-name-servers 192.168.1.1,0.0.0.0;
  option host-name ff;
  option domain-name "";
  renew 4 2006/4/20 02:30:27;
  rebind 4 2006/4/20 14:11:06;
  expire 4 2006/4/20 17:11:06;
}

Here is the new valgrind output:
hacki-mobile dhcdbd-1.12 # valgrind ./dhcdbd --system -n
...
===21235== Using valgrind-3.1.0, a dynamic binary instrumentation framework.
...
==21235== Syscall param socketcall.sendto(msg) points to uninitialised byte(s)
...
==21235== Syscall param socketcall.sendto(msg) points to uninitialised byte(s)
...
==21235== Invalid read of size 1
==21235==    at 0x401E1F1: strlen 
(in /usr/lib/valgrind/x86-linux/vgpreload_memcheck.so)
==21235==    by 0x40B3C48: vfprintf (in /lib/tls/libc-2.3.6.so)
==21235==    by 0x40CBC2A: vsprintf (in /lib/tls/libc-2.3.6.so)
==21235==    by 0x40B8D3A: sprintf (in /lib/tls/libc-2.3.6.so)
==21235==    by 0x8057D40: dhco_text_from_value (dhcp_options.c:1586)
==21235==    by 0x8058EC1: dhco_output_option (dhcp_options.c:2168)
==21235==    by 0x80526B7: dhcdbd_dhcp_option_handler (dhcdbd.c:2098)
==21235==    by 0x8056A6C: dhco_parse_option_settings (dhcp_options.c:1029)
==21235==    by 0x8052E78: dhcdbd_if_set (dhcdbd.c:2203)
==21235==    by 0x804AB27: message_handler (dbus_service.c:257)
==21235==    by 0x406313A: (within /usr/lib/libdbus-1.so.2.0.0)
==21235==    by 0x4058899: dbus_connection_dispatch 
(in /usr/lib/libdbus-1.so.2.0.0)
==21235==  Address 0x41B7301 is 0 bytes after a block of size 1 alloc'd
==21235==    at 0x401B590: malloc 
(in /usr/lib/valgrind/x86-linux/vgpreload_memcheck.so)
==21235==    by 0x8058B45: dhco_input_option (dhcp_options.c:2043)
==21235==    by 0x80569F4: dhco_parse_option_settings (dhcp_options.c:1018)
==21235==    by 0x8052E78: dhcdbd_if_set (dhcdbd.c:2203)
==21235==    by 0x804AB27: message_handler (dbus_service.c:257)
==21235==    by 0x406313A: (within /usr/lib/libdbus-1.so.2.0.0)
==21235==    by 0x4058899: dbus_connection_dispatch 
(in /usr/lib/libdbus-1.so.2.0.0)
==21235==    by 0x804CE7A: dbus_svc_main_loop (dbus_service.c:1348)
==21235==    by 0x8054B49: dhcdbd_run (dhcdbd.c:2801)
==21235==    by 0x805985D: main (main.c:128)

As you can see, the AP sends ÿ as hostname, which obviously is not what it 
should, however dhcdbd should not crash on weird input.
>

Yes, the dhcp server was sending the single hex byte 0xff as the host-name
option, which caused potential memory corruption in dhcdbd, and several
dhcdbd crashes.

Happily, ISC DHCP 3.0.4b3+ has converted the host-name option type from 'X' 
( hex or ASCII ) to 't' (ASCII only) - this patch has been backported to
Red Hat's DHCP 3.0.1 - 3.0.3 distributions, so dhcp server operators will 
no longer be able to get away with setting the host-name of clients to -1 .

But yes, dhcdbd should not crash if someone sends a hex string value of
a single non-ascii byte - fixed in dhcdbd-1.14+ .


Version-Release number of selected component (if applicable):
dhcdbd-1.12

How reproducible:
100%

Steps to Reproduce:
See above

Note You need to log in before you can comment on or make changes to this bug.