When attempting to convert a DUID from a client id option

into a hardware address handle unexpected client ids properly. Thanks to Markus Hietava of Codenomicon CROSS project for the finding this issue and CERT-FI for vulnerability coordination. [ISC-Bugs #29852] CVE: CVE-2012-3570
2025-08-31 14:25:41 +00:00 · 2012-06-27 21:33:25 +00:00
parent de87ffe336
commit e563ec2e58
3 changed files with 16 additions and 3 deletions
--- a/7
+++ b/7
@@ -90,6 +90,13 @@ work on other platforms. Please report any problems and suggested fixes to
  [ISC-Bugs #29851]
  CVE: CVE-2012-3571

+! When attempting to convert a DUID from a client id option
+  into a hardware address handle unexpected client ids properly.
+  Thanks to Markus Hietava of Codenomicon CROSS project for the
+  finding this issue and CERT-FI for vulnerability coordination. 
+  [ISC-Bugs #29852]
+  CVE: CVE-2012-3570
+
 			Changes since 4.2.3

 ! Add a check for a null pointer before calling the regexec function.
--- a/includes/dhcpd.h
+++ b/includes/dhcpd.h
@@ -432,11 +432,17 @@ struct packet {
 	isc_boolean_t unicast;
 };

-/* A network interface's MAC address. */
+/*
+ * A network interface's MAC address.
+ * 20 bytes for the hardware address
+ * and 1 byte for the type tag
+ */
+
+#define HARDWARE_ADDR_LEN 20

 struct hardware {
 	u_int8_t hlen;
-	u_int8_t hbuf[21];
+	u_int8_t hbuf[HARDWARE_ADDR_LEN + 1];
 };

 #if defined(LDAP_CONFIGURATION)
--- a/server/dhcpv6.c
+++ b/server/dhcpv6.c
@@ -6037,7 +6037,7 @@ find_hosts_by_duid_chaddr(struct host_decl **host,
 		break;
 	}

-	if (hlen == 0)
+	if ((hlen == 0) || (hlen > HARDWARE_ADDR_LEN)) 
 		return 0;

 	/*