Red Hat Bugzilla – Bug 441524
dhcpd segfaults if interface name is longer than IFNAMSIZ
Last modified: 2009-09-02 06:13:06 EDT
Description of problem: dhcpd SEGVs if path to config file exceeds ~60 characters (seems to be 58 or 59 chars, but I'm not sure) Version-Release number of selected component (if applicable): $ rpm -q dhcp dhcp-3.0.5-7.el5 How reproducible: 100% Steps to Reproduce: 1. /usr/sbin/dhcpd -t /fooooooooooooooooooooooooooooooooooooooooooooooooooooooooo Actual results: Internet Systems Consortium DHCP Server V3.0.5-RedHat Copyright 2004-2006 Internet Systems Consortium. All rights reserved. For info, please visit http://www.isc.org/sw/dhcp/ Segmentation fault <<<<<<<<<<<<--------- Expected results: Anything but a seg fault Additional info: File does not even have to exist for this to manifest. Does not appear to be a security issue per se as if you have permissions to trigger the bug you're already root.
(In reply to comment #0) > 1. /usr/sbin/dhcpd -t /fooooooooooooooooooooooooooooooooooooooooooooooooooooooooo This syntax causes dhcpd to test the default dhcpd.conf file (/etc/dhcpd.conf) for correctness. The last argument on the dhcpd command line is the network interface to bind to, such as eth0. If you want to specify a different configuration file, you need to use the -cf argument, such as: /usr/sbin/dhcpd -t -cf /i/like/free/books/from/amazon Still, your report is valid. It shouldn't segfault on what you specified either. It should report /fooooooooooooooooooooooooooooooooooooooooooooooooooooooooo as an invalid interface name and quit. This would be the offending code: ---------- struct interface_info *tmp = (struct interface_info *)0; result = interface_allocate (&tmp, MDL); if (result != ISC_R_SUCCESS) log_fatal ("Insufficient memory to %s %s: %s", "record interface", argv [i], isc_result_totext (result)); strcpy (tmp -> name, argv [i]); if (interfaces) { interface_reference (&tmp -> next, interfaces, MDL); interface_dereference (&interfaces, MDL); } interface_reference (&interfaces, tmp, MDL); tmp -> flags = INTERFACE_REQUESTED; ---------- Before the strcpy(), some sanity checking should be done on argv[i] to make sure you are providing a legal interface name. I can think of a number of ways to validate the interface name. 1) Read /proc/net/dev and compare the argv[i] name to the names in the list. If we find the name, continue, otherwise fail. 2) Try to read ETHTOOL settings via ioctl() for the argv[i] interface. If it succeeds, continue, otherwise fail. Flagging as something to fix for RHEL 5.4.
Filed upstream as ISC-Bugs #19617 Simplest fix: diff -up dhcp-3.0.5/server/dhcpd.c.IFNAMSIZ dhcp-3.0.5/server/dhcpd.c --- dhcp-3.0.5/server/dhcpd.c.IFNAMSIZ 2009-04-20 15:35:32.000000000 -1000 +++ dhcp-3.0.5/server/dhcpd.c 2009-04-20 15:37:21.000000000 -1000 @@ -341,7 +341,7 @@ int main (argc, argv, envp) log_fatal ("Insufficient memory to %s %s: %s", "record interface", argv [i], isc_result_totext (result)); - strcpy (tmp -> name, argv [i]); + strncpy (tmp -> name, argv [i], sizeof(tmp->name)); if (interfaces) { interface_reference (&tmp -> next, interfaces, MDL); Will be in dhcp-3.0.5-20.el5 and later builds.
with dhcp-3.0.5-21.el5 /usr/sbin/dhcpd -t /fooooooooooooooooooooooooooooooooooooooooooooooooooooooooo doesn't segfault and exits with exit code 1. moving to VERIFIED.
An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on therefore solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHBA-2009-1331.html