Bug 441524 - dhcpd segfaults if interface name is longer than IFNAMSIZ
dhcpd segfaults if interface name is longer than IFNAMSIZ
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: dhcp (Show other bugs)
5.1
i386 Linux
low Severity low
: rc
: ---
Assigned To: David Cantrell
Alexander Todorov
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2008-04-08 11:54 EDT by Ronan Waide
Modified: 2009-09-02 06:13 EDT (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2009-09-02 06:13:06 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Ronan Waide 2008-04-08 11:54:51 EDT
Description of problem:
dhcpd SEGVs if path to config file exceeds ~60 characters (seems to be 58 or 59
chars, but I'm not sure)

Version-Release number of selected component (if applicable):
$ rpm -q dhcp
dhcp-3.0.5-7.el5

How reproducible:
100%

Steps to Reproduce:
1. /usr/sbin/dhcpd -t /fooooooooooooooooooooooooooooooooooooooooooooooooooooooooo
  
Actual results:
Internet Systems Consortium DHCP Server V3.0.5-RedHat
Copyright 2004-2006 Internet Systems Consortium.
All rights reserved.
For info, please visit http://www.isc.org/sw/dhcp/
Segmentation fault <<<<<<<<<<<<---------

Expected results:
Anything but a seg fault

Additional info:
File does not even have to exist for this to manifest.

Does not appear to be a security issue per se as if you have permissions to
trigger the bug you're already root.
Comment 1 David Cantrell 2008-09-25 23:56:31 EDT
(In reply to comment #0)
> 1. /usr/sbin/dhcpd -t /fooooooooooooooooooooooooooooooooooooooooooooooooooooooooo

This syntax causes dhcpd to test the default dhcpd.conf file (/etc/dhcpd.conf) for correctness.  The last argument on the dhcpd command line is the network interface to bind to, such as eth0.

If you want to specify a different configuration file, you need to use the -cf argument, such as:

/usr/sbin/dhcpd -t -cf /i/like/free/books/from/amazon

Still, your report is valid.  It shouldn't segfault on what you specified either.  It should report /fooooooooooooooooooooooooooooooooooooooooooooooooooooooooo as an invalid interface name and quit.

This would be the offending code:

----------
struct interface_info *tmp = (struct interface_info *)0;
result = interface_allocate (&tmp, MDL);
if (result != ISC_R_SUCCESS)
    log_fatal ("Insufficient memory to %s %s: %s", "record interface", argv [i], isc_result_totext (result));
strcpy (tmp -> name, argv [i]);
if (interfaces) {
   interface_reference (&tmp -> next, interfaces, MDL);
   interface_dereference (&interfaces, MDL);
}
interface_reference (&interfaces, tmp, MDL);
tmp -> flags = INTERFACE_REQUESTED;
----------

Before the strcpy(), some sanity checking should be done on argv[i] to make sure you are providing a legal interface name.

I can think of a number of ways to validate the interface name.
1) Read /proc/net/dev and compare the argv[i] name to the names in the list.  If we find the name, continue, otherwise fail.
2) Try to read ETHTOOL settings via ioctl() for the argv[i] interface.  If it succeeds, continue, otherwise fail.

Flagging as something to fix for RHEL 5.4.
Comment 3 David Cantrell 2009-04-20 21:58:04 EDT
Filed upstream as ISC-Bugs #19617

Simplest fix:

diff -up dhcp-3.0.5/server/dhcpd.c.IFNAMSIZ dhcp-3.0.5/server/dhcpd.c
--- dhcp-3.0.5/server/dhcpd.c.IFNAMSIZ	2009-04-20 15:35:32.000000000 -1000
+++ dhcp-3.0.5/server/dhcpd.c	2009-04-20 15:37:21.000000000 -1000
@@ -341,7 +341,7 @@ int main (argc, argv, envp)
 				log_fatal ("Insufficient memory to %s %s: %s",
 					   "record interface", argv [i],
 					   isc_result_totext (result));
-			strcpy (tmp -> name, argv [i]);
+			strncpy (tmp -> name, argv [i], sizeof(tmp->name));
 			if (interfaces) {
 				interface_reference (&tmp -> next,
 						     interfaces, MDL);


Will be in dhcp-3.0.5-20.el5 and later builds.
Comment 5 Alexander Todorov 2009-05-08 06:16:53 EDT
with dhcp-3.0.5-21.el5

/usr/sbin/dhcpd -t /fooooooooooooooooooooooooooooooooooooooooooooooooooooooooo

doesn't segfault and exits with exit code 1.

moving to VERIFIED.
Comment 7 errata-xmlrpc 2009-09-02 06:13:06 EDT
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2009-1331.html

Note You need to log in before you can comment on or make changes to this bug.