1*4882a593SmuzhiyunFrom 2e08d138ff852820a6e87a09088d2dc2cdd15e56 Mon Sep 17 00:00:00 2001 2*4882a593SmuzhiyunFrom: Hitendra Prajapati <hprajapati@mvista.com> 3*4882a593SmuzhiyunDate: Mon, 10 Oct 2022 09:57:15 +0530 4*4882a593SmuzhiyunSubject: [PATCH 1/2] CVE-2022-2928 5*4882a593Smuzhiyun 6*4882a593SmuzhiyunUpstream-Status: Backport [https://downloads.isc.org/isc/dhcp/4.4.3-P1/patches/] 7*4882a593SmuzhiyunCVE: CVE-2022-2928 8*4882a593SmuzhiyunSigned-off-by: Hitendra Prajapati <hprajapati@mvista.com> 9*4882a593Smuzhiyun--- 10*4882a593Smuzhiyun common/options.c | 7 +++++ 11*4882a593Smuzhiyun common/tests/option_unittest.c | 54 ++++++++++++++++++++++++++++++++++ 12*4882a593Smuzhiyun 2 files changed, 61 insertions(+) 13*4882a593Smuzhiyun 14*4882a593Smuzhiyundiff --git a/common/options.c b/common/options.c 15*4882a593Smuzhiyunindex 92c8fee..f0959cb 100644 16*4882a593Smuzhiyun--- a/common/options.c 17*4882a593Smuzhiyun+++ b/common/options.c 18*4882a593Smuzhiyun@@ -4452,6 +4452,8 @@ add_option(struct option_state *options, 19*4882a593Smuzhiyun if (!option_cache_allocate(&oc, MDL)) { 20*4882a593Smuzhiyun log_error("No memory for option cache adding %s (option %d).", 21*4882a593Smuzhiyun option->name, option_num); 22*4882a593Smuzhiyun+ /* Get rid of reference created during hash lookup. */ 23*4882a593Smuzhiyun+ option_dereference(&option, MDL); 24*4882a593Smuzhiyun return 0; 25*4882a593Smuzhiyun } 26*4882a593Smuzhiyun 27*4882a593Smuzhiyun@@ -4463,6 +4465,8 @@ add_option(struct option_state *options, 28*4882a593Smuzhiyun MDL)) { 29*4882a593Smuzhiyun log_error("No memory for constant data adding %s (option %d).", 30*4882a593Smuzhiyun option->name, option_num); 31*4882a593Smuzhiyun+ /* Get rid of reference created during hash lookup. */ 32*4882a593Smuzhiyun+ option_dereference(&option, MDL); 33*4882a593Smuzhiyun option_cache_dereference(&oc, MDL); 34*4882a593Smuzhiyun return 0; 35*4882a593Smuzhiyun } 36*4882a593Smuzhiyun@@ -4471,6 +4475,9 @@ add_option(struct option_state *options, 37*4882a593Smuzhiyun save_option(&dhcp_universe, options, oc); 38*4882a593Smuzhiyun option_cache_dereference(&oc, MDL); 39*4882a593Smuzhiyun 40*4882a593Smuzhiyun+ /* Get rid of reference created during hash lookup. */ 41*4882a593Smuzhiyun+ option_dereference(&option, MDL); 42*4882a593Smuzhiyun+ 43*4882a593Smuzhiyun return 1; 44*4882a593Smuzhiyun } 45*4882a593Smuzhiyun 46*4882a593Smuzhiyundiff --git a/common/tests/option_unittest.c b/common/tests/option_unittest.c 47*4882a593Smuzhiyunindex 600ebe6..963b566 100644 48*4882a593Smuzhiyun--- a/common/tests/option_unittest.c 49*4882a593Smuzhiyun+++ b/common/tests/option_unittest.c 50*4882a593Smuzhiyun@@ -213,6 +213,59 @@ ATF_TC_BODY(parse_X, tc) 51*4882a593Smuzhiyun } 52*4882a593Smuzhiyun } 53*4882a593Smuzhiyun 54*4882a593Smuzhiyun+ATF_TC(add_option_ref_cnt); 55*4882a593Smuzhiyun+ 56*4882a593Smuzhiyun+ATF_TC_HEAD(add_option_ref_cnt, tc) 57*4882a593Smuzhiyun+{ 58*4882a593Smuzhiyun+ atf_tc_set_md_var(tc, "descr", 59*4882a593Smuzhiyun+ "Verify add_option() does not leak option ref counts."); 60*4882a593Smuzhiyun+} 61*4882a593Smuzhiyun+ 62*4882a593Smuzhiyun+ATF_TC_BODY(add_option_ref_cnt, tc) 63*4882a593Smuzhiyun+{ 64*4882a593Smuzhiyun+ struct option_state *options = NULL; 65*4882a593Smuzhiyun+ struct option *option = NULL; 66*4882a593Smuzhiyun+ unsigned int cid_code = DHO_DHCP_CLIENT_IDENTIFIER; 67*4882a593Smuzhiyun+ char *cid_str = "1234"; 68*4882a593Smuzhiyun+ int refcnt_before = 0; 69*4882a593Smuzhiyun+ 70*4882a593Smuzhiyun+ // Look up the option we're going to add. 71*4882a593Smuzhiyun+ initialize_common_option_spaces(); 72*4882a593Smuzhiyun+ if (!option_code_hash_lookup(&option, dhcp_universe.code_hash, 73*4882a593Smuzhiyun+ &cid_code, 0, MDL)) { 74*4882a593Smuzhiyun+ atf_tc_fail("cannot find option definition?"); 75*4882a593Smuzhiyun+ } 76*4882a593Smuzhiyun+ 77*4882a593Smuzhiyun+ // Get the option's reference count before we call add_options. 78*4882a593Smuzhiyun+ refcnt_before = option->refcnt; 79*4882a593Smuzhiyun+ 80*4882a593Smuzhiyun+ // Allocate a option_state to which to add an option. 81*4882a593Smuzhiyun+ if (!option_state_allocate(&options, MDL)) { 82*4882a593Smuzhiyun+ atf_tc_fail("cannot allocat options state"); 83*4882a593Smuzhiyun+ } 84*4882a593Smuzhiyun+ 85*4882a593Smuzhiyun+ // Call add_option() to add the option to the option state. 86*4882a593Smuzhiyun+ if (!add_option(options, cid_code, cid_str, strlen(cid_str))) { 87*4882a593Smuzhiyun+ atf_tc_fail("add_option returned 0"); 88*4882a593Smuzhiyun+ } 89*4882a593Smuzhiyun+ 90*4882a593Smuzhiyun+ // Verify that calling add_option() only adds 1 to the option ref count. 91*4882a593Smuzhiyun+ if (option->refcnt != (refcnt_before + 1)) { 92*4882a593Smuzhiyun+ atf_tc_fail("after add_option(), count is wrong, before %d, after: %d", 93*4882a593Smuzhiyun+ refcnt_before, option->refcnt); 94*4882a593Smuzhiyun+ } 95*4882a593Smuzhiyun+ 96*4882a593Smuzhiyun+ // Derefrence the option_state, this should reduce the ref count to 97*4882a593Smuzhiyun+ // it's starting value. 98*4882a593Smuzhiyun+ option_state_dereference(&options, MDL); 99*4882a593Smuzhiyun+ 100*4882a593Smuzhiyun+ // Verify that dereferencing option_state restores option ref count. 101*4882a593Smuzhiyun+ if (option->refcnt != refcnt_before) { 102*4882a593Smuzhiyun+ atf_tc_fail("after state deref, count is wrong, before %d, after: %d", 103*4882a593Smuzhiyun+ refcnt_before, option->refcnt); 104*4882a593Smuzhiyun+ } 105*4882a593Smuzhiyun+} 106*4882a593Smuzhiyun+ 107*4882a593Smuzhiyun /* This macro defines main() method that will call specified 108*4882a593Smuzhiyun test cases. tp and simple_test_case names can be whatever you want 109*4882a593Smuzhiyun as long as it is a valid variable identifier. */ 110*4882a593Smuzhiyun@@ -221,6 +274,7 @@ ATF_TP_ADD_TCS(tp) 111*4882a593Smuzhiyun ATF_TP_ADD_TC(tp, option_refcnt); 112*4882a593Smuzhiyun ATF_TP_ADD_TC(tp, pretty_print_option); 113*4882a593Smuzhiyun ATF_TP_ADD_TC(tp, parse_X); 114*4882a593Smuzhiyun+ ATF_TP_ADD_TC(tp, add_option_ref_cnt); 115*4882a593Smuzhiyun 116*4882a593Smuzhiyun return (atf_no_error()); 117*4882a593Smuzhiyun } 118*4882a593Smuzhiyun-- 119*4882a593Smuzhiyun2.25.1 120*4882a593Smuzhiyun 121