I have assigned CVE-2006-3122 to this issue. Eloy, please let us know which version in sid fixes the problem when you upload a package.
Andrew, is it ok when we credit you in the advisory for discovery? Andrew Steets wrote: > There is a bug in ISC DHCP server version 2 that causes the server to > unexpectedly exit when it receieves a DHCPOFFER packet with a > client-identifier option which is exactly 32 bytes long. > > A malicious user could use this as a sort of denial of service attack on > a version 2 dhcp server. This does not appear to be a problem with the > dhcp version 3 server. > > Explanation of the bug: > The DHCP server has a lease struct which contains a buffer (uid_buf) > which is 32 bytes long. If it needs more space, it simply malloc's new > storage. There is an edge condition in supersede_lease() from memory.c > that causes a 32 byte client-identifier to be mistakenly interpreted as > a corrupt uid, and so the server exits with the message "corrupt lease > uid." Well spotted! Thanks a lot for the research and the patch. Regards, Joey -- MIME - broken solution for a broken design. -- Ralf Baechle Please always Cc to me when replying to me on the lists. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]