From c887ef3f31a3c96208028cc818b839d389bbf0cb Mon Sep 17 00:00:00 2001 From: Thomas Markwalder Date: Thu, 4 Aug 2022 14:11:08 -0400 Subject: [#254] Fixed memory leak in FQDN unpacking RELNOTES Added a release note common/options.c fqdn_universe_decode() - replace returns with gotos to ensure memory is freed on label length errors --- RELNOTES | 31 ++++++++++++++++++------------- common/options.c | 8 ++++---- 2 files changed, 22 insertions(+), 17 deletions(-) diff --git a/RELNOTES b/RELNOTES index 26d6bd09..faa6e21a 100644 --- a/RELNOTES +++ b/RELNOTES @@ -74,19 +74,24 @@ dhcp-users@lists.isc.org. Changes since 4.1-ESV-R16-P1 - ! Corrected a reference count leak that occurs when the server builds - responses to leasequery packets. Thanks to VictorV of Cyber Kunlun - Lab for reporting the issue. - [Gitblab #253] - CVE: CVS-2022-2928 - - Change1 since 4.1-ESV-R16 - - ! Corrected a buffer overwrite possible when parsing hexadecimal - literals with more than 1024 octets. Reported by Jon Franklin from Dell, - and also by Pawel Wieczorkiewicz from Amazon Web Services. - [Gitlab #182] - CVE: CVE-2021-25217 +! Corrected a reference count leak that occurs when the server builds + responses to leasequery packets. Thanks to VictorV of Cyber Kunlun + Lab for reporting the issue. + [Gitblab #253] + CVE: CVS-2022-2928 + +! Corrected a memory leak that occurs when unpacking a packet that has an + FQDN option (81) that contains a label whose lenght is greater than 63. + [Gitblab #254] + CVE: CVS-2022-2929 + + Changes since 4.1-ESV-R16 + +! Corrected a buffer overwrite possible when parsing hexadecimal + literals with more than 1024 octets. Reported by Jon Franklin from Dell, + and also by Pawel Wieczorkiewicz from Amazon Web Services. + [Gitlab #182] + CVE: CVE-2021-25217 Changes since 4.1-ESV-R16b1 diff --git a/common/options.c b/common/options.c index df591cbb..035ec64c 100644 --- a/common/options.c +++ b/common/options.c @@ -447,16 +447,16 @@ int fqdn_universe_decode (struct option_state *options, while (s < &bp -> data[0] + length + 2) { len = *s; if (len > 63) { - log_info ("fancy bits in fqdn option"); - return 0; + log_info ("label length exceeds 63 in fqdn option"); + goto bad; } if (len == 0) { terminated = 1; break; } if (s + len > &bp -> data [0] + length + 3) { - log_info ("fqdn tag longer than buffer"); - return 0; + log_info ("fqdn label longer than buffer"); + goto bad; } if (first_len == 0) { -- cgit v1.2.1 From fcfa2af942dbdf01d7c654e887bda12f6ede8b88 Mon Sep 17 00:00:00 2001 From: Thomas Markwalder Date: Tue, 23 Aug 2022 07:26:19 -0400 Subject: [#254] Updated RELNOTES --- RELNOTES | 16 ++++++++++++---- 1 file changed, 12 insertions(+), 4 deletions(-) diff --git a/RELNOTES b/RELNOTES index faa6e21a..e9d3a879 100644 --- a/RELNOTES +++ b/RELNOTES @@ -5,10 +5,10 @@ Release Notes Version 4.1-ESV-R16-P2 is a security release of an extended support version -(ESV) fixing possible reference counter overflow in the server while adding -options to lease query responses. ESVs are intended for users who have longer -upgrade constraints. Please see our web page: - +(ESV) fixing a possible reference counter overflow in the server while adding +options to lease query responses and a possible memory leak in the client and +server when parsing inbound packets with malformed FQDN options. ESVs are +intended for users who have longer upgrade constraints. Please see our web page: http://www.isc.org/downloads/software-support-policy/ for more information on ESVs. @@ -74,6 +74,7 @@ dhcp-users@lists.isc.org. Changes since 4.1-ESV-R16-P1 +<<<<<<< HEAD ! Corrected a reference count leak that occurs when the server builds responses to leasequery packets. Thanks to VictorV of Cyber Kunlun Lab for reporting the issue. @@ -84,6 +85,13 @@ dhcp-users@lists.isc.org. FQDN option (81) that contains a label whose lenght is greater than 63. [Gitblab #254] CVE: CVS-2022-2929 +======= + ! Corrected a memory leak that occurs when unpacking a packet that has an + FQDN option (81) that contains a label whose lenght is greater than 63. + Thanks to VictorV of Cyber Kunlun Lab for reporting the issue. + [Gitblab #254] + CVE: CVS-2022-2929 +>>>>>>> [#254] Updated RELNOTES Changes since 4.1-ESV-R16 -- cgit v1.2.1