Package: isc-dhcp-server Version: 4.1.1-P1-15 Severity: grave Tags: security patch
Hi Ari, Just as a public record, the following advisory (CVE-2011-0413[0]) has been published by ISC[1]: > When the DHCPv6 server code processes a message for an address that was > previously declined and internally tagged as abandoned it can trigger an > assert failure resulting in the server crashing. This could be used to > crash DHCPv6 servers remotely. This issue only affects DHCPv6 servers. > DHCPv4 servers are unaffected. I'm attaching the patch that was used for 4.1-ESV, which applies almost cleanly in 4.1.1-P1 (3 lines diff between hunks.) I have not tested it, though. [0]http://security-tracker.debian.org/tracker/CVE-2011-0413 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0413 [1]http://www.isc.org/software/dhcp/advisories/cve-2011-0413 Cheers, -- Raphael Geissert - Debian Developer www.debian.org - get.debian.net
--- dhcp-4.1-ESV/server/mdb6.c
+++ dhcp-4.1-ESV-R1/server/mdb6.c
@@ -1009,7 +1009,7 @@ move_lease_to_active(struct ipv6_pool *pool, struct iasubopt *lease) {
* Renew an lease in the pool.
*
* To do this, first set the new hard_lifetime_end_time for the resource,
- * and then invoke renew_lease() on it.
+ * and then invoke renew_lease6() on it.
*
* WARNING: lease times must only be extended, never reduced!!!
*/
@@ -1019,12 +1019,24 @@ renew_lease6(struct ipv6_pool *pool, struct iasubopt *lease) {
* If we're already active, then we can just move our expiration
* time down the heap.
*
+ * If we're abandoned then we are already on the active list
+ * but we need to retag the lease and move our expiration
+ * from infinite to the current value
+ *
* Otherwise, we have to move from the inactive heap to the
* active heap.
*/
if (lease->state == FTS_ACTIVE) {
isc_heap_decreased(pool->active_timeouts, lease->heap_index);
return ISC_R_SUCCESS;
+ } else if (lease->state == FTS_ABANDONED) {
+ char tmp_addr[INET6_ADDRSTRLEN];
+ lease->state = FTS_ACTIVE;
+ isc_heap_increased(pool->active_timeouts, lease->heap_index);
+ log_info("Reclaiming previously abandoned address %s",
+ inet_ntop(AF_INET6, &(lease->addr), tmp_addr,
+ sizeof(tmp_addr)));
+ return ISC_R_SUCCESS;
} else {
return move_lease_to_active(pool, lease);
}
@@ -1112,7 +1124,8 @@ isc_result_t
decline_lease6(struct ipv6_pool *pool, struct iasubopt *lease) {
isc_result_t result;
- if (lease->state != FTS_ACTIVE) {
+ if ((lease->state != FTS_ACTIVE) &&
+ (lease->state != FTS_ABANDONED)) {
result = move_lease_to_active(pool, lease);
if (result != ISC_R_SUCCESS) {
return result;
signature.asc
Description: This is a digitally signed message part.
