A vulnerability was found in DHCP, where, a DHCP server configured with "allow leasequery;", a remote machine with access to the server can send lease queries for the same lease multiple times, leading to the "add_option()" function being repeatedly called. This could cause an option's "refcount" field to overflow and the server to abort. Internally, reference counters are integers and thus overflow at 2^31 references, so even at 1000 lease query responses per second, it would take more than three weeks to crash the server.
- 4.1-ESV-R1 -> 4.1-ESV-R16-P1
- 4.4.0 -> 4.4.3
Other branches of ISC DHCP (i.e., releases in the 4.0.x series or lower and releases in the 4.3.x series), it is probable,
all versions after the introduction of lease query in ISC DHCP 3.0 are affected.
Created dhcp tracking bugs for this issue:
Affects: fedora-all [bug 2132429]