! A stack overflow vulnerability was fixed in dhclient that could allow

remote attackers to execute arbitrary commands as root on the system, or simply terminate the client, by providing an over-long subnet-mask option. [ISC-Bugs #19839]
author: David Hankins <dhankins@isc.org> 2009-06-19 23:24:19 +0000
committer: David Hankins <dhankins@isc.org> 2009-06-19 23:24:19 +0000
commit: 8a4e543b51677c3033cb6a9fc0b77e772063dd6a (patch)
tree: 6f3c62bdfeb78ca3fc132ffd19ddbb5fc7c16566 /client
parent: 9e3eb22ab78a2645f9d4107447b91549f0cac1ea (diff)
download: isc-dhcp-8a4e543b51677c3033cb6a9fc0b77e772063dd6a.tar.gz
1 files changed, 9 insertions, 2 deletions
diff --git a/client/dhclient.c b/client/dhclient.c
index 580c7126..99f0ec1a 100644
--- a/client/dhclient.c
+++ b/client/dhclient.c
@@ -3070,8 +3070,15 @@ void script_write_params (client, prefix, lease)
 		if (data.len > 3) {
 			struct iaddr netmask, subnet, broadcast;
 
-			memcpy (netmask.iabuf, data.data, data.len);
-			netmask.len = data.len;
+			/*
+			 * No matter the length of the subnet-mask option,
+			 * use only the first four octets.  Note that
+			 * subnet-mask options longer than 4 octets are not
+			 * in conformance with RFC 2132, but servers with this
+			 * flaw do exist.
+			 */
+			memcpy(netmask.iabuf, data.data, 4);
+			netmask.len = 4;
 			data_string_forget (&data, MDL);
 
 			subnet = subnet_number (lease -> address, netmask);
author	David Hankins <dhankins@isc.org>	2009-06-19 23:24:19 +0000
committer	David Hankins <dhankins@isc.org>	2009-06-19 23:24:19 +0000
commit	8a4e543b51677c3033cb6a9fc0b77e772063dd6a (patch)
tree	6f3c62bdfeb78ca3fc132ffd19ddbb5fc7c16566 /client
parent	9e3eb22ab78a2645f9d4107447b91549f0cac1ea (diff)
download	isc-dhcp-8a4e543b51677c3033cb6a9fc0b77e772063dd6a.tar.gz