diff options
-rw-r--r-- | RELNOTES | 47 | ||||
-rw-r--r-- | common/options.c | 8 |
2 files changed, 34 insertions, 21 deletions
@@ -5,10 +5,10 @@ Release Notes Version 4.1-ESV-R16-P2 is a security release of an extended support version -(ESV) fixing possible reference counter overflow in the server while adding -options to lease query responses. ESVs are intended for users who have longer -upgrade constraints. Please see our web page: - +(ESV) fixing a possible reference counter overflow in the server while adding +options to lease query responses and a possible memory leak in the client and +server when parsing inbound packets with malformed FQDN options. ESVs are +intended for users who have longer upgrade constraints. Please see our web page: http://www.isc.org/downloads/software-support-policy/ for more information on ESVs. @@ -74,19 +74,32 @@ dhcp-users@lists.isc.org. Changes since 4.1-ESV-R16-P1 - ! Corrected a reference count leak that occurs when the server builds - responses to leasequery packets. Thanks to VictorV of Cyber Kunlun - Lab for reporting the issue. - [Gitblab #253] - CVE: CVS-2022-2928 - - Change1 since 4.1-ESV-R16 - - ! Corrected a buffer overwrite possible when parsing hexadecimal - literals with more than 1024 octets. Reported by Jon Franklin from Dell, - and also by Pawel Wieczorkiewicz from Amazon Web Services. - [Gitlab #182] - CVE: CVE-2021-25217 +<<<<<<< HEAD +! Corrected a reference count leak that occurs when the server builds + responses to leasequery packets. Thanks to VictorV of Cyber Kunlun + Lab for reporting the issue. + [Gitblab #253] + CVE: CVS-2022-2928 + +! Corrected a memory leak that occurs when unpacking a packet that has an + FQDN option (81) that contains a label whose lenght is greater than 63. + [Gitblab #254] + CVE: CVS-2022-2929 +======= + ! Corrected a memory leak that occurs when unpacking a packet that has an + FQDN option (81) that contains a label whose lenght is greater than 63. + Thanks to VictorV of Cyber Kunlun Lab for reporting the issue. + [Gitblab #254] + CVE: CVS-2022-2929 +>>>>>>> [#254] Updated RELNOTES + + Changes since 4.1-ESV-R16 + +! Corrected a buffer overwrite possible when parsing hexadecimal + literals with more than 1024 octets. Reported by Jon Franklin from Dell, + and also by Pawel Wieczorkiewicz from Amazon Web Services. + [Gitlab #182] + CVE: CVE-2021-25217 Changes since 4.1-ESV-R16b1 diff --git a/common/options.c b/common/options.c index df591cbb..035ec64c 100644 --- a/common/options.c +++ b/common/options.c @@ -447,16 +447,16 @@ int fqdn_universe_decode (struct option_state *options, while (s < &bp -> data[0] + length + 2) { len = *s; if (len > 63) { - log_info ("fancy bits in fqdn option"); - return 0; + log_info ("label length exceeds 63 in fqdn option"); + goto bad; } if (len == 0) { terminated = 1; break; } if (s + len > &bp -> data [0] + length + 3) { - log_info ("fqdn tag longer than buffer"); - return 0; + log_info ("fqdn label longer than buffer"); + goto bad; } if (first_len == 0) { |