Bug 441524 - dhcpd segfaults if interface name is longer than IFNAMSIZ
Summary: dhcpd segfaults if interface name is longer than IFNAMSIZ
Alias: None
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: dhcp   
(Show other bugs)
Version: 5.1
Hardware: i386
OS: Linux
Target Milestone: rc
: ---
Assignee: David Cantrell
QA Contact: Alexander Todorov
Depends On:
TreeView+ depends on / blocked
Reported: 2008-04-08 15:54 UTC by Ronan Waide
Modified: 2009-09-02 10:13 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2009-09-02 10:13:06 UTC
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2009:1331 normal SHIPPED_LIVE dhcp bug fix update 2009-09-01 10:37:36 UTC

Description Ronan Waide 2008-04-08 15:54:51 UTC
Description of problem:
dhcpd SEGVs if path to config file exceeds ~60 characters (seems to be 58 or 59
chars, but I'm not sure)

Version-Release number of selected component (if applicable):
$ rpm -q dhcp

How reproducible:

Steps to Reproduce:
1. /usr/sbin/dhcpd -t /fooooooooooooooooooooooooooooooooooooooooooooooooooooooooo
Actual results:
Internet Systems Consortium DHCP Server V3.0.5-RedHat
Copyright 2004-2006 Internet Systems Consortium.
All rights reserved.
For info, please visit http://www.isc.org/sw/dhcp/
Segmentation fault <<<<<<<<<<<<---------

Expected results:
Anything but a seg fault

Additional info:
File does not even have to exist for this to manifest.

Does not appear to be a security issue per se as if you have permissions to
trigger the bug you're already root.

Comment 1 David Cantrell 2008-09-26 03:56:31 UTC
(In reply to comment #0)
> 1. /usr/sbin/dhcpd -t /fooooooooooooooooooooooooooooooooooooooooooooooooooooooooo

This syntax causes dhcpd to test the default dhcpd.conf file (/etc/dhcpd.conf) for correctness.  The last argument on the dhcpd command line is the network interface to bind to, such as eth0.

If you want to specify a different configuration file, you need to use the -cf argument, such as:

/usr/sbin/dhcpd -t -cf /i/like/free/books/from/amazon

Still, your report is valid.  It shouldn't segfault on what you specified either.  It should report /fooooooooooooooooooooooooooooooooooooooooooooooooooooooooo as an invalid interface name and quit.

This would be the offending code:

struct interface_info *tmp = (struct interface_info *)0;
result = interface_allocate (&tmp, MDL);
if (result != ISC_R_SUCCESS)
    log_fatal ("Insufficient memory to %s %s: %s", "record interface", argv [i], isc_result_totext (result));
strcpy (tmp -> name, argv [i]);
if (interfaces) {
   interface_reference (&tmp -> next, interfaces, MDL);
   interface_dereference (&interfaces, MDL);
interface_reference (&interfaces, tmp, MDL);

Before the strcpy(), some sanity checking should be done on argv[i] to make sure you are providing a legal interface name.

I can think of a number of ways to validate the interface name.
1) Read /proc/net/dev and compare the argv[i] name to the names in the list.  If we find the name, continue, otherwise fail.
2) Try to read ETHTOOL settings via ioctl() for the argv[i] interface.  If it succeeds, continue, otherwise fail.

Flagging as something to fix for RHEL 5.4.

Comment 3 David Cantrell 2009-04-21 01:58:04 UTC
Filed upstream as ISC-Bugs #19617

Simplest fix:

diff -up dhcp-3.0.5/server/dhcpd.c.IFNAMSIZ dhcp-3.0.5/server/dhcpd.c
--- dhcp-3.0.5/server/dhcpd.c.IFNAMSIZ	2009-04-20 15:35:32.000000000 -1000
+++ dhcp-3.0.5/server/dhcpd.c	2009-04-20 15:37:21.000000000 -1000
@@ -341,7 +341,7 @@ int main (argc, argv, envp)
 				log_fatal ("Insufficient memory to %s %s: %s",
 					   "record interface", argv [i],
 					   isc_result_totext (result));
-			strcpy (tmp -> name, argv [i]);
+			strncpy (tmp -> name, argv [i], sizeof(tmp->name));
 			if (interfaces) {
 				interface_reference (&tmp -> next,
 						     interfaces, MDL);

Will be in dhcp-3.0.5-20.el5 and later builds.

Comment 5 Alexander Todorov 2009-05-08 10:16:53 UTC
with dhcp-3.0.5-21.el5

/usr/sbin/dhcpd -t /fooooooooooooooooooooooooooooooooooooooooooooooooooooooooo

doesn't segfault and exits with exit code 1.

moving to VERIFIED.

Comment 7 errata-xmlrpc 2009-09-02 10:13:06 UTC
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.


Note You need to log in before you can comment on or make changes to this bug.