diff options
| author | Thomas Markwalder <tmark@isc.org> | 2022-09-01 11:18:50 +0000 |
|---|---|---|
| committer | Thomas Markwalder <tmark@isc.org> | 2022-09-01 11:18:50 +0000 |
| commit | fbd1867ff7567845725a993779799722d8abc1b6 (patch) | |
| tree | d1907986fa3b9d00c781195e7dfa267fdc67a7ac | |
| parent | b5d1f6f097faf828dea735b30b4bdc589f06b9be (diff) | |
| parent | fcfa2af942dbdf01d7c654e887bda12f6ede8b88 (diff) | |
| download | isc-dhcp-fbd1867ff7567845725a993779799722d8abc1b6.tar.gz | |
Merge branch '254_v4_1_esv_r16-memleak-parsing-fqdn' into 'v4_1_esv'
[#254] v4_1_esv Fixed memory leak in FQDN unpacking
See merge request isc-private/dhcp!11
| -rw-r--r-- | RELNOTES | 47 | ||||
| -rw-r--r-- | common/options.c | 8 |
2 files changed, 34 insertions, 21 deletions
@@ -5,10 +5,10 @@ Release Notes Version 4.1-ESV-R16-P2 is a security release of an extended support version -(ESV) fixing possible reference counter overflow in the server while adding -options to lease query responses. ESVs are intended for users who have longer -upgrade constraints. Please see our web page: - +(ESV) fixing a possible reference counter overflow in the server while adding +options to lease query responses and a possible memory leak in the client and +server when parsing inbound packets with malformed FQDN options. ESVs are +intended for users who have longer upgrade constraints. Please see our web page: http://www.isc.org/downloads/software-support-policy/ for more information on ESVs. @@ -74,19 +74,32 @@ dhcp-users@lists.isc.org. Changes since 4.1-ESV-R16-P1 - ! Corrected a reference count leak that occurs when the server builds - responses to leasequery packets. Thanks to VictorV of Cyber Kunlun - Lab for reporting the issue. - [Gitblab #253] - CVE: CVS-2022-2928 - - Change1 since 4.1-ESV-R16 - - ! Corrected a buffer overwrite possible when parsing hexadecimal - literals with more than 1024 octets. Reported by Jon Franklin from Dell, - and also by Pawel Wieczorkiewicz from Amazon Web Services. - [Gitlab #182] - CVE: CVE-2021-25217 +<<<<<<< HEAD +! Corrected a reference count leak that occurs when the server builds + responses to leasequery packets. Thanks to VictorV of Cyber Kunlun + Lab for reporting the issue. + [Gitblab #253] + CVE: CVS-2022-2928 + +! Corrected a memory leak that occurs when unpacking a packet that has an + FQDN option (81) that contains a label whose lenght is greater than 63. + [Gitblab #254] + CVE: CVS-2022-2929 +======= + ! Corrected a memory leak that occurs when unpacking a packet that has an + FQDN option (81) that contains a label whose lenght is greater than 63. + Thanks to VictorV of Cyber Kunlun Lab for reporting the issue. + [Gitblab #254] + CVE: CVS-2022-2929 +>>>>>>> [#254] Updated RELNOTES + + Changes since 4.1-ESV-R16 + +! Corrected a buffer overwrite possible when parsing hexadecimal + literals with more than 1024 octets. Reported by Jon Franklin from Dell, + and also by Pawel Wieczorkiewicz from Amazon Web Services. + [Gitlab #182] + CVE: CVE-2021-25217 Changes since 4.1-ESV-R16b1 diff --git a/common/options.c b/common/options.c index df591cbb..035ec64c 100644 --- a/common/options.c +++ b/common/options.c @@ -447,16 +447,16 @@ int fqdn_universe_decode (struct option_state *options, while (s < &bp -> data[0] + length + 2) { len = *s; if (len > 63) { - log_info ("fancy bits in fqdn option"); - return 0; + log_info ("label length exceeds 63 in fqdn option"); + goto bad; } if (len == 0) { terminated = 1; break; } if (s + len > &bp -> data [0] + length + 3) { - log_info ("fqdn tag longer than buffer"); - return 0; + log_info ("fqdn label longer than buffer"); + goto bad; } if (first_len == 0) { |