Two packets were found that cause a server to halt. The code

has been updated to properly process or reject the packets as appropriate. Thanks to David Zych at University of Illinois for reporting this issue. [ISC-Bugs #24960] One CVE number for each class of packet. CVE-2011-2748 CVE-2011-2749
2025-08-22 01:49:35 +00:00 · 2011-07-19 22:13:26 +00:00 · 2011-07-19 22:13:26 +00:00 · 8bd96ccb21
commit 8bd96ccb21
parent beaed73f00
4 changed files with 23 additions and 9 deletions
--- a/8
+++ b/8
@ -190,6 +190,14 @@ work on other platforms. Please report any problems and suggested fixes to
  in site.h then server will be terminated
  [ISC-Bugs #23595]

+! Two packets were found that cause a server to halt.  The code
+  has been updated to properly process or reject the packets as
+  appropriate.  Thanks to David Zych at University of Illinois
+  for reporting this issue.  [ISC-Bugs #24960]
+  One CVE number for each class of packet.
+  CVE-2011-2748
+  CVE-2011-2749
+
 			Changes since 4.2.0

 - Documentation cleanup covering multiple tickets
--- a/common/discover.c
+++ b/common/discover.c
@ -1403,12 +1403,16 @@ isc_result_t got_one (h)
 	if (result == 0)
 		return ISC_R_UNEXPECTED;

-	/* If we didn't at least get the fixed portion of the BOOTP
-	   packet, drop the packet.  We're allowing packets with no
-	   sname or filename, because we're aware of at least one
-	   client that sends such packets, but this definitely falls
-	   into the category of being forgiving. */
-	if (result < DHCP_FIXED_NON_UDP - DHCP_SNAME_LEN - DHCP_FILE_LEN)
+	/*
+	 * If we didn't at least get the fixed portion of the BOOTP
+	 * packet, drop the packet.
+	 * Previously we allowed packets with no sname or filename
+	 * as we were aware of at least one client that did.  But
+	 * a bug caused short packets to not work and nobody has
+	 * complained, it seems rational to tighten up that
+	 * restriction.
+	 */
+	if (result < DHCP_FIXED_NON_UDP)
 		return ISC_R_UNEXPECTED;

 #if defined(IP_PKTINFO) && defined(IP_RECVPKTINFO) && defined(USE_V4_PKTINFO)
--- a/common/options.c
+++ b/common/options.c
@ -3,7 +3,7 @@
   DHCP options parsing and reassembly. */

 /*
- * Copyright (c) 2004-2010 by Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (c) 2004-2011 by Internet Systems Consortium, Inc. ("ISC")
 * Copyright (c) 1995-2003 by Internet Software Consortium
 *
 * Permission to use, copy, modify, and distribute this software for any
@ -592,8 +592,8 @@ cons_options(struct packet *inpacket, struct dhcp_packet *outpacket,
 	} else if (bootpp) {
 		mb_size = 64;
 		if (inpacket != NULL &&
-		    (inpacket->packet_length - DHCP_FIXED_LEN >= 64))
-			mb_size = inpacket->packet_length - DHCP_FIXED_LEN;
+		    (inpacket->packet_length >= 64 + DHCP_FIXED_NON_UDP))
+			mb_size = inpacket->packet_length - DHCP_FIXED_NON_UDP;
 	} else
 		mb_size = DHCP_MIN_OPTION_LEN;

--- a/server/dhcp.c
+++ b/server/dhcp.c
@ -2354,6 +2354,7 @@ void ack_lease (packet, lease, offer, when, msg, ms_nulltp, hp)
 	 * giaddr.
 	 */
 	if (!packet->agent_options_stashed &&
+	    (packet->options != NULL) &&
 	    packet->options->universe_count > agent_universe.index &&
 	    packet->options->universes[agent_universe.index] != NULL) {
 	    oc = lookup_option (&server_universe, state -> options,
@ -4506,6 +4507,7 @@ maybe_return_agent_options(struct packet *packet, struct option_state *options)
 	 * by the user into the new state, not just give up.
 	 */
 	if (!packet->agent_options_stashed &&
+	    (packet->options != NULL) &&
 	    packet->options->universe_count > agent_universe.index &&
 	    packet->options->universes[agent_universe.index] != NULL &&
 	    (options->universe_count <= agent_universe.index ||