diff options
| author | Francis Dupont <fdupont@isc.org> | 2015-04-11 20:00:21 +0200 |
|---|---|---|
| committer | Francis Dupont <fdupont@isc.org> | 2015-04-11 20:00:21 +0200 |
| commit | d75489baee0be4d090421057448913a1079f650f (patch) | |
| tree | 9762277a4c440738c977cb5f7666a9887e04eea1 | |
| parent | 274da71dedd568109d14b449b60b1d43df413334 (diff) | |
| download | isc-dhcp-d75489baee0be4d090421057448913a1079f650f.tar.gz | |
fixed lease table overflow crash [#38637] (including RELNOTES)
| -rw-r--r-- | RELNOTES | 8 | ||||
| -rw-r--r-- | server/mdb.c | 18 |
2 files changed, 24 insertions, 2 deletions
@@ -60,6 +60,14 @@ by Eric Young (eay@cryptsoft.com). Changes since 4.1-ESV-R11 +- The server now does a better check to see if it can allocate the memory + for large blocks of v4 leases and should provide a slightly better error + message. Note well: the server pre-allocates v4 addresses, if you use + a large range, such as a /8, the server will attempt to use a large + amount of memory and may not start if there either isn't enough memory + or the size exceeds what the code supports. + [ISC-Bugs #38637] + - The server will now reject unicast Request, Renew, Decline, and Release messages from a client unless the server would have sent that client the dhcp6.unicast option. This behavior is in compliance with paragraph 1 in diff --git a/server/mdb.c b/server/mdb.c index dd36e817..19a12051 100644 --- a/server/mdb.c +++ b/server/mdb.c @@ -3,7 +3,7 @@ Server-specific in-memory database support. */ /* - * Copyright (c) 2011-2014 by Internet Systems Consortium, Inc. ("ISC") + * Copyright (c) 2011-2015 by Internet Systems Consortium, Inc. ("ISC") * Copyright (c) 2004-2009 by Internet Systems Consortium, Inc. ("ISC") * Copyright (c) 1996-2003 by Internet Software Consortium * @@ -708,6 +708,7 @@ void new_address_range (cfile, low, high, subnet, pool, lpchain) { #if defined(COMPACT_LEASES) struct lease *address_range; + unsigned n, s; #endif unsigned min, max, i; char lowbuf [16], highbuf [16], netbuf [16]; @@ -767,7 +768,20 @@ void new_address_range (cfile, low, high, subnet, pool, lpchain) /* Get a lease structure for each address in the range. */ #if defined (COMPACT_LEASES) - address_range = new_leases (max - min + 1, MDL); + n = max - min + 1; + s = (n + 1) * sizeof (struct lease); + /* Check unsigned overflow in new_leases(). + With 304 byte lease structure (x64_86), this happens at + range 10.0.0.0 10.215.148.52; */ + if (((s % sizeof (struct lease)) != 0) || + ((s / sizeof (struct lease)) != (n + 1))) { + strcpy (lowbuf, piaddr (low)); + strcpy (highbuf, piaddr (high)); + parse_warn (cfile, "%s-%s is a far too large address range.", + lowbuf, highbuf); + log_fatal ("Memory overflow."); + } + address_range = new_leases (n, MDL); if (!address_range) { strcpy (lowbuf, piaddr (low)); strcpy (highbuf, piaddr (high)); |