mirror of
https://github.com/openembedded/meta-openembedded.git
synced 2026-07-15 16:07:26 +00:00
dhcp-relay: upgrade 4.4.3 -> 4.4.3-P1
Changes since 4.4.3 (Bug Fixes)
Corrected a reference count leak that occurs when the server builds
responses to leasequery packets. Thanks to VictorV of Cyber Kunlun
Lab for reporting the issue.
[Gitlab #253]
CVE: CVE-2022-2928
Corrected a memory leak that occurs when unpacking a packet that has an
FQDN option (81) that contains a label with length greater than 63
bytes.
Thanks to VictorV of Cyber Kunlun Lab for reporting the issue.
[Gitlab #254]
CVE: CVE-2022-2929
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit 354608cb88)
Adapted to Kirkstone. Dropped two CVE patches, because they are included in
this patch release.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
This commit is contained in:
+3
-5
@@ -10,23 +10,21 @@ LIC_FILES_CHKSUM = "file://LICENSE;md5=c463f4afde26d9eb60f14f50aeb85f8f"
|
|||||||
|
|
||||||
DEPENDS = "openssl libcap zlib"
|
DEPENDS = "openssl libcap zlib"
|
||||||
|
|
||||||
SRC_URI = "https://downloads.isc.org/isc/dhcp/${PV}/dhcp-${PV}.tar.gz \
|
SRC_URI = "https://downloads.isc.org/isc/dhcp/4.4.3-P1/dhcp-4.4.3-P1.tar.gz \
|
||||||
file://default-relay \
|
file://default-relay \
|
||||||
file://init-relay \
|
file://init-relay \
|
||||||
file://dhcrelay.service \
|
file://dhcrelay.service \
|
||||||
file://0001-Makefile.am-only-build-dhcrelay.patch \
|
file://0001-Makefile.am-only-build-dhcrelay.patch \
|
||||||
file://0002-bind-Makefile.in-disable-backtrace.patch \
|
file://0002-bind-Makefile.in-disable-backtrace.patch \
|
||||||
file://0003-bind-Makefile.in-regenerate-configure.patch \
|
file://0003-bind-Makefile.in-regenerate-configure.patch \
|
||||||
file://CVE-2022-2928.patch \
|
|
||||||
file://CVE-2022-2929.patch \
|
|
||||||
"
|
"
|
||||||
|
|
||||||
SRC_URI[sha256sum] = "0e3ec6b4c2a05ec0148874bcd999a66d05518378d77421f607fb0bc9d0135818"
|
SRC_URI[sha256sum] = "0ac416bb55997ca8632174fd10737fd61cdb8dba2752160a335775bc21dc73c7"
|
||||||
|
|
||||||
UPSTREAM_CHECK_URI = "http://ftp.isc.org/isc/dhcp/"
|
UPSTREAM_CHECK_URI = "http://ftp.isc.org/isc/dhcp/"
|
||||||
UPSTREAM_CHECK_REGEX = "(?P<pver>\d+\.\d+\.(\d+?))/"
|
UPSTREAM_CHECK_REGEX = "(?P<pver>\d+\.\d+\.(\d+?))/"
|
||||||
|
|
||||||
S = "${WORKDIR}/dhcp-${PV}"
|
S = "${WORKDIR}/dhcp-4.4.3-P1"
|
||||||
|
|
||||||
inherit autotools-brokensep systemd pkgconfig
|
inherit autotools-brokensep systemd pkgconfig
|
||||||
|
|
||||||
@@ -1,120 +0,0 @@
|
|||||||
From 2e08d138ff852820a6e87a09088d2dc2cdd15e56 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Hitendra Prajapati <hprajapati@mvista.com>
|
|
||||||
Date: Mon, 10 Oct 2022 09:57:15 +0530
|
|
||||||
Subject: [PATCH 1/2] CVE-2022-2928
|
|
||||||
|
|
||||||
Upstream-Status: Backport [https://downloads.isc.org/isc/dhcp/4.4.3-P1/patches/]
|
|
||||||
CVE: CVE-2022-2928
|
|
||||||
Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
|
|
||||||
---
|
|
||||||
common/options.c | 7 +++++
|
|
||||||
common/tests/option_unittest.c | 54 ++++++++++++++++++++++++++++++++++
|
|
||||||
2 files changed, 61 insertions(+)
|
|
||||||
|
|
||||||
diff --git a/common/options.c b/common/options.c
|
|
||||||
index 92c8fee..f0959cb 100644
|
|
||||||
--- a/common/options.c
|
|
||||||
+++ b/common/options.c
|
|
||||||
@@ -4452,6 +4452,8 @@ add_option(struct option_state *options,
|
|
||||||
if (!option_cache_allocate(&oc, MDL)) {
|
|
||||||
log_error("No memory for option cache adding %s (option %d).",
|
|
||||||
option->name, option_num);
|
|
||||||
+ /* Get rid of reference created during hash lookup. */
|
|
||||||
+ option_dereference(&option, MDL);
|
|
||||||
return 0;
|
|
||||||
}
|
|
||||||
|
|
||||||
@@ -4463,6 +4465,8 @@ add_option(struct option_state *options,
|
|
||||||
MDL)) {
|
|
||||||
log_error("No memory for constant data adding %s (option %d).",
|
|
||||||
option->name, option_num);
|
|
||||||
+ /* Get rid of reference created during hash lookup. */
|
|
||||||
+ option_dereference(&option, MDL);
|
|
||||||
option_cache_dereference(&oc, MDL);
|
|
||||||
return 0;
|
|
||||||
}
|
|
||||||
@@ -4471,6 +4475,9 @@ add_option(struct option_state *options,
|
|
||||||
save_option(&dhcp_universe, options, oc);
|
|
||||||
option_cache_dereference(&oc, MDL);
|
|
||||||
|
|
||||||
+ /* Get rid of reference created during hash lookup. */
|
|
||||||
+ option_dereference(&option, MDL);
|
|
||||||
+
|
|
||||||
return 1;
|
|
||||||
}
|
|
||||||
|
|
||||||
diff --git a/common/tests/option_unittest.c b/common/tests/option_unittest.c
|
|
||||||
index 600ebe6..963b566 100644
|
|
||||||
--- a/common/tests/option_unittest.c
|
|
||||||
+++ b/common/tests/option_unittest.c
|
|
||||||
@@ -213,6 +213,59 @@ ATF_TC_BODY(parse_X, tc)
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
+ATF_TC(add_option_ref_cnt);
|
|
||||||
+
|
|
||||||
+ATF_TC_HEAD(add_option_ref_cnt, tc)
|
|
||||||
+{
|
|
||||||
+ atf_tc_set_md_var(tc, "descr",
|
|
||||||
+ "Verify add_option() does not leak option ref counts.");
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
+ATF_TC_BODY(add_option_ref_cnt, tc)
|
|
||||||
+{
|
|
||||||
+ struct option_state *options = NULL;
|
|
||||||
+ struct option *option = NULL;
|
|
||||||
+ unsigned int cid_code = DHO_DHCP_CLIENT_IDENTIFIER;
|
|
||||||
+ char *cid_str = "1234";
|
|
||||||
+ int refcnt_before = 0;
|
|
||||||
+
|
|
||||||
+ // Look up the option we're going to add.
|
|
||||||
+ initialize_common_option_spaces();
|
|
||||||
+ if (!option_code_hash_lookup(&option, dhcp_universe.code_hash,
|
|
||||||
+ &cid_code, 0, MDL)) {
|
|
||||||
+ atf_tc_fail("cannot find option definition?");
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ // Get the option's reference count before we call add_options.
|
|
||||||
+ refcnt_before = option->refcnt;
|
|
||||||
+
|
|
||||||
+ // Allocate a option_state to which to add an option.
|
|
||||||
+ if (!option_state_allocate(&options, MDL)) {
|
|
||||||
+ atf_tc_fail("cannot allocat options state");
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ // Call add_option() to add the option to the option state.
|
|
||||||
+ if (!add_option(options, cid_code, cid_str, strlen(cid_str))) {
|
|
||||||
+ atf_tc_fail("add_option returned 0");
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ // Verify that calling add_option() only adds 1 to the option ref count.
|
|
||||||
+ if (option->refcnt != (refcnt_before + 1)) {
|
|
||||||
+ atf_tc_fail("after add_option(), count is wrong, before %d, after: %d",
|
|
||||||
+ refcnt_before, option->refcnt);
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ // Derefrence the option_state, this should reduce the ref count to
|
|
||||||
+ // it's starting value.
|
|
||||||
+ option_state_dereference(&options, MDL);
|
|
||||||
+
|
|
||||||
+ // Verify that dereferencing option_state restores option ref count.
|
|
||||||
+ if (option->refcnt != refcnt_before) {
|
|
||||||
+ atf_tc_fail("after state deref, count is wrong, before %d, after: %d",
|
|
||||||
+ refcnt_before, option->refcnt);
|
|
||||||
+ }
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
/* This macro defines main() method that will call specified
|
|
||||||
test cases. tp and simple_test_case names can be whatever you want
|
|
||||||
as long as it is a valid variable identifier. */
|
|
||||||
@@ -221,6 +274,7 @@ ATF_TP_ADD_TCS(tp)
|
|
||||||
ATF_TP_ADD_TC(tp, option_refcnt);
|
|
||||||
ATF_TP_ADD_TC(tp, pretty_print_option);
|
|
||||||
ATF_TP_ADD_TC(tp, parse_X);
|
|
||||||
+ ATF_TP_ADD_TC(tp, add_option_ref_cnt);
|
|
||||||
|
|
||||||
return (atf_no_error());
|
|
||||||
}
|
|
||||||
--
|
|
||||||
2.25.1
|
|
||||||
|
|
||||||
@@ -1,40 +0,0 @@
|
|||||||
From 5436cafe1d7df409a44ff5f610248db57f0677ee Mon Sep 17 00:00:00 2001
|
|
||||||
From: Hitendra Prajapati <hprajapati@mvista.com>
|
|
||||||
Date: Mon, 10 Oct 2022 09:58:04 +0530
|
|
||||||
Subject: [PATCH 2/2] CVE-2022-2929
|
|
||||||
|
|
||||||
Upstream-Status: Backport [https://downloads.isc.org/isc/dhcp/4.4.3-P1/patches/]
|
|
||||||
CVE: CVE-2022-2929
|
|
||||||
Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
|
|
||||||
---
|
|
||||||
common/options.c | 8 ++++----
|
|
||||||
1 file changed, 4 insertions(+), 4 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/common/options.c b/common/options.c
|
|
||||||
index f0959cb..25450e1 100644
|
|
||||||
--- a/common/options.c
|
|
||||||
+++ b/common/options.c
|
|
||||||
@@ -454,16 +454,16 @@ int fqdn_universe_decode (struct option_state *options,
|
|
||||||
while (s < &bp -> data[0] + length + 2) {
|
|
||||||
len = *s;
|
|
||||||
if (len > 63) {
|
|
||||||
- log_info ("fancy bits in fqdn option");
|
|
||||||
- return 0;
|
|
||||||
+ log_info ("label length exceeds 63 in fqdn option");
|
|
||||||
+ goto bad;
|
|
||||||
}
|
|
||||||
if (len == 0) {
|
|
||||||
terminated = 1;
|
|
||||||
break;
|
|
||||||
}
|
|
||||||
if (s + len > &bp -> data [0] + length + 3) {
|
|
||||||
- log_info ("fqdn tag longer than buffer");
|
|
||||||
- return 0;
|
|
||||||
+ log_info ("fqdn label longer than buffer");
|
|
||||||
+ goto bad;
|
|
||||||
}
|
|
||||||
|
|
||||||
if (first_len == 0) {
|
|
||||||
--
|
|
||||||
2.25.1
|
|
||||||
|
|
||||||
Reference in New Issue
Block a user