[src/trunk]: src/external/mpl/dhcp/dist Apply security fixes:

[christos <christos%NetBSD.org@localhost>]

details:   https://anonhg.NetBSD.org/src/rev/f964df40a635
branches:  trunk
changeset: 371745:f964df40a635
user:      christos <christos%NetBSD.org@localhost>
date:      Wed Oct 05 22:20:15 2022 +0000

description:
Apply security fixes:
https://downloads.isc.org/isc/dhcp/4.4.3-P1/patches/CVE-2022-2928.4-4-3.diff
https://downloads.isc.org/isc/dhcp/4.4.3-P1/patches/CVE-2022-2929.4-4-3.diff

diffstat:

 external/mpl/dhcp/dist/RELNOTES                       |  20 +++++-
 external/mpl/dhcp/dist/common/options.c               |  19 ++++--
 external/mpl/dhcp/dist/common/tests/option_unittest.c |  56 ++++++++++++++++++-
 3 files changed, 84 insertions(+), 11 deletions(-)

diffs (181 lines):

diff -r 6401a29f7da7 -r f964df40a635 external/mpl/dhcp/dist/RELNOTES
--- a/external/mpl/dhcp/dist/RELNOTES   Wed Oct 05 12:09:07 2022 +0000
+++ b/external/mpl/dhcp/dist/RELNOTES   Wed Oct 05 22:20:15 2022 +0000
@@ -1,10 +1,8 @@
                 Internet Systems Consortium DHCP Distribution
-                            Version 4.4.3
-                            9 March 2022
+                          Version 4.4.3-P1
+                            ? ????? 2022
                             Release Notes
 
-                            NEW FEATURES
-
 Please note that that ISC DHCP is licensed under the Mozilla Public
 License, MPL 2.0. Please see https://www.mozilla.org/en-US/MPL/2.0/ to read
 the MPL 2.0 license terms.
@@ -28,6 +26,20 @@
 Consortium.  This product includes cryptographic software written
 by Eric Young (eay%cryptsoft.com@localhost).
 
+               Changes since 4.4.3 (Bug Fixes)
+
+! Corrected a reference count leak that occurs when the server builds
+  responses to leasequery packets. Thanks to VictorV of Cyber Kunlun
+  Lab for reporting the issue.
+  [Gitblab #253]
+  CVE: CVS-2022-2928
+
+! Corrected a memory leak that occurs when unpacking a packet that has an
+  FQDN option (81) that contains a label whose lenght is greater than 63.
+  Thanks to VictorV of Cyber Kunlun Lab for reporting the issue.
+  [Gitblab #254]
+  CVE: CVS-2022-2929
+
                Changes since 4.4.2-P1 (New Features)
 
 - Two new OMAPI function calls were added, `dhcpctl_timed_connect()`
diff -r 6401a29f7da7 -r f964df40a635 external/mpl/dhcp/dist/common/options.c
--- a/external/mpl/dhcp/dist/common/options.c   Wed Oct 05 12:09:07 2022 +0000
+++ b/external/mpl/dhcp/dist/common/options.c   Wed Oct 05 22:20:15 2022 +0000
@@ -1,4 +1,4 @@
-/*     $NetBSD: options.c,v 1.6 2022/04/03 01:10:58 christos Exp $     */
+/*     $NetBSD: options.c,v 1.7 2022/10/05 22:20:15 christos Exp $     */
 
 /* options.c
 
@@ -29,7 +29,7 @@
  */
 
 #include <sys/cdefs.h>
-__RCSID("$NetBSD: options.c,v 1.6 2022/04/03 01:10:58 christos Exp $");
+__RCSID("$NetBSD: options.c,v 1.7 2022/10/05 22:20:15 christos Exp $");
 
 #define DHCP_OPTION_DATA
 #include "dhcpd.h"
@@ -465,16 +465,16 @@
                while (s < &bp -> data[0] + length + 2) {
                        len = *s;
                        if (len > 63) {
-                               log_info ("fancy bits in fqdn option");
-                               return 0;
+                               log_info ("label length exceeds 63 in fqdn option");
+                               goto bad;
                        }
                        if (len == 0) {
                                terminated = 1;
                                break;
                        }
                        if (s + len > &bp -> data [0] + length + 3) {
-                               log_info ("fqdn tag longer than buffer");
-                               return 0;
+                               log_info ("fqdn label longer than buffer");
+                               goto bad;
                        }
 
                        if (first_len == 0) {
@@ -4463,6 +4463,8 @@
        if (!option_cache_allocate(&oc, MDL)) {
                log_error("No memory for option cache adding %s (option %d).",
                          option->name, option_num);
+               /* Get rid of reference created during hash lookup. */
+               option_dereference(&option, MDL);
                return 0;
        }
 
@@ -4474,6 +4476,8 @@
                             MDL)) {
                log_error("No memory for constant data adding %s (option %d).",
                          option->name, option_num);
+               /* Get rid of reference created during hash lookup. */
+               option_dereference(&option, MDL);
                option_cache_dereference(&oc, MDL);
                return 0;
        }
@@ -4482,6 +4486,9 @@
        save_option(&dhcp_universe, options, oc);
        option_cache_dereference(&oc, MDL);
 
+       /* Get rid of reference created during hash lookup. */
+       option_dereference(&option, MDL);
+
        return 1;
 }
 
diff -r 6401a29f7da7 -r f964df40a635 external/mpl/dhcp/dist/common/tests/option_unittest.c
--- a/external/mpl/dhcp/dist/common/tests/option_unittest.c     Wed Oct 05 12:09:07 2022 +0000
+++ b/external/mpl/dhcp/dist/common/tests/option_unittest.c     Wed Oct 05 22:20:15 2022 +0000
@@ -1,4 +1,4 @@
-/*     $NetBSD: option_unittest.c,v 1.4 2022/04/03 01:10:58 christos Exp $     */
+/*     $NetBSD: option_unittest.c,v 1.5 2022/10/05 22:20:15 christos Exp $     */
 
 /*
  * Copyright (C) 2018-2022 Internet Systems Consortium, Inc. ("ISC")
@@ -215,6 +215,59 @@
     }
 }
 
+ATF_TC(add_option_ref_cnt);
+
+ATF_TC_HEAD(add_option_ref_cnt, tc)
+{
+    atf_tc_set_md_var(tc, "descr",
+        "Verify add_option() does not leak option ref counts.");
+}
+
+ATF_TC_BODY(add_option_ref_cnt, tc)
+{
+    struct option_state *options = NULL;
+    struct option *option = NULL;
+    unsigned int cid_code = DHO_DHCP_CLIENT_IDENTIFIER;
+    char *cid_str = "1234";
+    int refcnt_before = 0;
+
+    // Look up the option we're going to add.
+    initialize_common_option_spaces();
+    if (!option_code_hash_lookup(&option, dhcp_universe.code_hash,
+                                 &cid_code, 0, MDL)) {
+        atf_tc_fail("cannot find option definition?");
+    }
+
+    // Get the option's reference count before we call add_options.
+    refcnt_before = option->refcnt;
+
+    // Allocate a option_state to which to add an option.
+    if (!option_state_allocate(&options, MDL)) {
+           atf_tc_fail("cannot allocat options state");
+    }
+
+    // Call add_option() to add the option to the option state.
+    if (!add_option(options, cid_code, cid_str, strlen(cid_str))) {
+           atf_tc_fail("add_option returned 0");
+    }
+
+    // Verify that calling add_option() only adds 1 to the option ref count.
+    if (option->refcnt != (refcnt_before + 1)) {
+        atf_tc_fail("after add_option(), count is wrong, before %d, after: %d",
+                    refcnt_before, option->refcnt);
+    }
+
+    // Derefrence the option_state, this should reduce the ref count to
+    // it's starting value.
+    option_state_dereference(&options, MDL);
+
+    // Verify that dereferencing option_state restores option ref count.
+    if (option->refcnt != refcnt_before) {
+        atf_tc_fail("after state deref, count is wrong, before %d, after: %d",
+                    refcnt_before, option->refcnt);
+    }
+}
+
 /* This macro defines main() method that will call specified
    test cases. tp and simple_test_case names can be whatever you want
    as long as it is a valid variable identifier. */
@@ -223,6 +276,7 @@
     ATF_TP_ADD_TC(tp, option_refcnt);
     ATF_TP_ADD_TC(tp, pretty_print_option);
     ATF_TP_ADD_TC(tp, parse_X);
+    ATF_TP_ADD_TC(tp, add_option_ref_cnt);
 
     return (atf_no_error());
 }