1From 2e08d138ff852820a6e87a09088d2dc2cdd15e56 Mon Sep 17 00:00:00 2001 2From: Hitendra Prajapati <hprajapati@mvista.com> 3Date: Mon, 10 Oct 2022 09:57:15 +0530 4Subject: [PATCH 1/2] CVE-2022-2928 5 6Upstream-Status: Backport [https://downloads.isc.org/isc/dhcp/4.4.3-P1/patches/] 7CVE: CVE-2022-2928 8Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> 9--- 10 common/options.c | 7 +++++ 11 common/tests/option_unittest.c | 54 ++++++++++++++++++++++++++++++++++ 12 2 files changed, 61 insertions(+) 13 14diff --git a/common/options.c b/common/options.c 15index 92c8fee..f0959cb 100644 16--- a/common/options.c 17+++ b/common/options.c 18@@ -4452,6 +4452,8 @@ add_option(struct option_state *options, 19 if (!option_cache_allocate(&oc, MDL)) { 20 log_error("No memory for option cache adding %s (option %d).", 21 option->name, option_num); 22+ /* Get rid of reference created during hash lookup. */ 23+ option_dereference(&option, MDL); 24 return 0; 25 } 26 27@@ -4463,6 +4465,8 @@ add_option(struct option_state *options, 28 MDL)) { 29 log_error("No memory for constant data adding %s (option %d).", 30 option->name, option_num); 31+ /* Get rid of reference created during hash lookup. */ 32+ option_dereference(&option, MDL); 33 option_cache_dereference(&oc, MDL); 34 return 0; 35 } 36@@ -4471,6 +4475,9 @@ add_option(struct option_state *options, 37 save_option(&dhcp_universe, options, oc); 38 option_cache_dereference(&oc, MDL); 39 40+ /* Get rid of reference created during hash lookup. */ 41+ option_dereference(&option, MDL); 42+ 43 return 1; 44 } 45 46diff --git a/common/tests/option_unittest.c b/common/tests/option_unittest.c 47index 600ebe6..963b566 100644 48--- a/common/tests/option_unittest.c 49+++ b/common/tests/option_unittest.c 50@@ -213,6 +213,59 @@ ATF_TC_BODY(parse_X, tc) 51 } 52 } 53 54+ATF_TC(add_option_ref_cnt); 55+ 56+ATF_TC_HEAD(add_option_ref_cnt, tc) 57+{ 58+ atf_tc_set_md_var(tc, "descr", 59+ "Verify add_option() does not leak option ref counts."); 60+} 61+ 62+ATF_TC_BODY(add_option_ref_cnt, tc) 63+{ 64+ struct option_state *options = NULL; 65+ struct option *option = NULL; 66+ unsigned int cid_code = DHO_DHCP_CLIENT_IDENTIFIER; 67+ char *cid_str = "1234"; 68+ int refcnt_before = 0; 69+ 70+ // Look up the option we're going to add. 71+ initialize_common_option_spaces(); 72+ if (!option_code_hash_lookup(&option, dhcp_universe.code_hash, 73+ &cid_code, 0, MDL)) { 74+ atf_tc_fail("cannot find option definition?"); 75+ } 76+ 77+ // Get the option's reference count before we call add_options. 78+ refcnt_before = option->refcnt; 79+ 80+ // Allocate a option_state to which to add an option. 81+ if (!option_state_allocate(&options, MDL)) { 82+ atf_tc_fail("cannot allocat options state"); 83+ } 84+ 85+ // Call add_option() to add the option to the option state. 86+ if (!add_option(options, cid_code, cid_str, strlen(cid_str))) { 87+ atf_tc_fail("add_option returned 0"); 88+ } 89+ 90+ // Verify that calling add_option() only adds 1 to the option ref count. 91+ if (option->refcnt != (refcnt_before + 1)) { 92+ atf_tc_fail("after add_option(), count is wrong, before %d, after: %d", 93+ refcnt_before, option->refcnt); 94+ } 95+ 96+ // Derefrence the option_state, this should reduce the ref count to 97+ // it's starting value. 98+ option_state_dereference(&options, MDL); 99+ 100+ // Verify that dereferencing option_state restores option ref count. 101+ if (option->refcnt != refcnt_before) { 102+ atf_tc_fail("after state deref, count is wrong, before %d, after: %d", 103+ refcnt_before, option->refcnt); 104+ } 105+} 106+ 107 /* This macro defines main() method that will call specified 108 test cases. tp and simple_test_case names can be whatever you want 109 as long as it is a valid variable identifier. */ 110@@ -221,6 +274,7 @@ ATF_TP_ADD_TCS(tp) 111 ATF_TP_ADD_TC(tp, option_refcnt); 112 ATF_TP_ADD_TC(tp, pretty_print_option); 113 ATF_TP_ADD_TC(tp, parse_X); 114+ ATF_TP_ADD_TC(tp, add_option_ref_cnt); 115 116 return (atf_no_error()); 117 } 118-- 1192.25.1 120 121