[#253] Fix reference count leak in add_option

RELNOTES Added release note common/options.c add_option() - always dereference the looked up option common/tests/option_unittest.c Added new unit test: ATF_TC_BODY(add_option_ref_cnt, tc)
author: Thomas Markwalder <tmark@isc.org> 2022-08-04 13:10:41 -0400
committer: Thomas Markwalder <tmark@isc.org> 2022-08-04 13:10:41 -0400
commit: 9e75e0fdb7f65d5b834cea10787d68483f8da01f (patch)
tree: 4221f28243ee0bcf389113547ae13f42981c9788
parent: 862faa0e713dd3725061ae9159dff745a6378fc9 (diff)
download: isc-dhcp-9e75e0fdb7f65d5b834cea10787d68483f8da01f.tar.gz
3 files changed, 68 insertions, 1 deletions
diff --git a/RELNOTES b/RELNOTES
index 38b155c4..9940f9ac 100644
--- a/RELNOTES
+++ b/RELNOTES
@@ -75,7 +75,13 @@ We welcome comments from DHCP users, about this or anything else we do.
 Email Vicky Risk, Product Manager at vicky@isc.org or discuss on
 dhcp-users@lists.isc.org.
 
-			Changes since 4.1-ESV-R16
+			Changes since 4.1-ESV-R16-P1
+ ! Corrected a reference count leak that occurs when the server builds
+   responses to leasequery packets.
+   [Gitblab #253]
+   CVE: <TBD>
+
+			Change1 since 4.1-ESV-R16
  ! Corrected a buffer overwrite possible when parsing hexadecimal
    literals with more than 1024 octets. Reported by Jon Franklin from Dell,
    and also by Pawel Wieczorkiewicz from Amazon Web Services.
diff --git a/common/options.c b/common/options.c
index 54f8dcda..df591cbb 100644
--- a/common/options.c
+++ b/common/options.c
@@ -4350,6 +4350,8 @@ add_option(struct option_state *options,
 	if (!option_cache_allocate(&oc, MDL)) {
 		log_error("No memory for option cache adding %s (option %d).",
 			  option->name, option_num);
+		/* Get rid of reference created during hash lookup. */
+		option_dereference(&option, MDL);
 		return 0;
 	}
 
@@ -4361,6 +4363,8 @@ add_option(struct option_state *options,
 			     MDL)) {
 		log_error("No memory for constant data adding %s (option %d).",
 			  option->name, option_num);
+		/* Get rid of reference created during hash lookup. */
+		option_dereference(&option, MDL);
 		option_cache_dereference(&oc, MDL);
 		return 0;
 	}
@@ -4369,6 +4373,9 @@ add_option(struct option_state *options,
 	save_option(&dhcp_universe, options, oc);
 	option_cache_dereference(&oc, MDL);
 
+	/* Get rid of reference created during hash lookup. */
+	option_dereference(&option, MDL);
+
 	return 1;
 }
 
diff --git a/common/tests/option_unittest.c b/common/tests/option_unittest.c
index b71a1add..56d766f0 100644
--- a/common/tests/option_unittest.c
+++ b/common/tests/option_unittest.c
@@ -213,6 +213,59 @@ ATF_TC_BODY(parse_X, tc)
     }
 }
 
+ATF_TC(add_option_ref_cnt);
+
+ATF_TC_HEAD(add_option_ref_cnt, tc)
+{
+    atf_tc_set_md_var(tc, "descr",
+        "Verify add_option() does not leak option ref counts.");
+}
+
+ATF_TC_BODY(add_option_ref_cnt, tc)
+{
+    struct option_state *options = NULL;
+    struct option *option = NULL;
+    unsigned int cid_code = DHO_DHCP_CLIENT_IDENTIFIER;
+    char *cid_str = "1234";
+    int refcnt_before = 0;
+
+    // Look up the option we're going to add.
+    initialize_common_option_spaces();
+    if (!option_code_hash_lookup(&option, dhcp_universe.code_hash,
+                                 &cid_code, 0, MDL)) {
+        atf_tc_fail("cannot find option definition?");
+    }
+
+    // Get the option's reference count before we call add_options.
+    refcnt_before = option->refcnt;
+
+    // Allocate a option_state to which to add an option.
+    if (!option_state_allocate(&options, MDL)) {
+	    atf_tc_fail("cannot allocat options state");
+    }
+
+    // Call add_option() to add the option to the option state.
+    if (!add_option(options, cid_code, cid_str, strlen(cid_str))) {
+	    atf_tc_fail("add_option returned 0");
+    }
+
+    // Verify that calling add_option() only adds 1 to the option ref count.
+    if (option->refcnt != (refcnt_before + 1)) {
+        atf_tc_fail("after add_option(), count is wrong, before %d, after: %d",
+                    refcnt_before, option->refcnt);
+    }
+
+    // Derefrence the option_state, this should reduce the ref count to
+    // it's starting value.
+    option_state_dereference(&options, MDL);
+
+    // Verify that dereferencing option_state restores option ref count.
+    if (option->refcnt != refcnt_before) {
+        atf_tc_fail("after state deref, count is wrong, before %d, after: %d",
+                    refcnt_before, option->refcnt);
+    }
+}
+
 /* This macro defines main() method that will call specified
    test cases. tp and simple_test_case names can be whatever you want
    as long as it is a valid variable identifier. */
@@ -221,6 +274,7 @@ ATF_TP_ADD_TCS(tp)
     ATF_TP_ADD_TC(tp, option_refcnt);
     ATF_TP_ADD_TC(tp, pretty_print_option);
     ATF_TP_ADD_TC(tp, parse_X);
+    ATF_TP_ADD_TC(tp, add_option_ref_cnt);
 
     return (atf_no_error());
 }
author	Thomas Markwalder <tmark@isc.org>	2022-08-04 13:10:41 -0400
committer	Thomas Markwalder <tmark@isc.org>	2022-08-04 13:10:41 -0400
commit	9e75e0fdb7f65d5b834cea10787d68483f8da01f (patch)
tree	4221f28243ee0bcf389113547ae13f42981c9788
parent	862faa0e713dd3725061ae9159dff745a6378fc9 (diff)
download	isc-dhcp-9e75e0fdb7f65d5b834cea10787d68483f8da01f.tar.gz