Bug#730294: isc-dhcp-client: Infinite loop if rfc3442-classless-static-routes is malformed

Sat, 23 Nov 2013 10:53:08 -0800 

Package: isc-dhcp-client
Version: 4.2.4-7
Severity: normal
Tags: patch

Dear Maintainer,

I recently messed up the value of rfc3442-classless-static-routes
on my DHCP server (I had "16, 10, 150, 0, 0, 10, 150, 3, 1" when
it should have been "16, 10, 150, 10, 150, 3, 1") and this caused
/etc/dhcp/dhclient-exit-hooks.d/rfc3442-classless-routes to go into an
infinite loop on my clients.

The problem is that the rfc3442-classless-routes script processes the
rfc3442-classless-static-routes value using a loop that looks like this:

        while [ $# -gt 0 ]; do
                net_length=$1
                # ...
                case $net_length in
                        32|31|30|29|28|27|26|25)
                                net_address="${2}.${3}.${4}.${5}"
                                gateway="${6}.${7}.${8}.${9}"
                                shift 9
                                ;;
                        # ...
                esac
                # ...
        done

If the argument to shift is greater than the number of arguments
available, shift prints an error and doesn't shift any arguments at all.
Thus, if the value of rfc3442-classless-static-routes is malformed and
there are fewer arguments than the value of $net_length requires, it's
possible for no shifting to take place and for $# to never reach 0.

I have included a patch to this script which fixes the problem by bailing
out if $# is too small.  (In addition to fixing the infinite loop,
this also prevents the excution of "ip route add" with bogus values for
$net_address and $gateway.)

Regards,

Andrew

-- System Information:
Debian Release: jessie/sid
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: i386 (i686)

Kernel: Linux 3.11-2-686-pae (SMP w/2 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages isc-dhcp-client depends on:
ii  debianutils      4.4
ii  iproute          1:3.11.0-1
ii  isc-dhcp-common  4.2.4-7
ii  libc6            2.17-96

isc-dhcp-client recommends no packages.

Versions of packages isc-dhcp-client suggests:
pn  avahi-autoipd  <none>
pn  resolvconf     <none>

-- no debconf information

--- rfc3442-classless-routes	2013-05-27 14:00:32.000000000 -0700
+++ rfc3442-classless-routes.fixed	2013-11-23 10:04:03.117023572 -0800
@@ -20,26 +20,41 @@
 
 				case $net_length in
 					32|31|30|29|28|27|26|25)
+						if [ $# -lt 9 ]; then
+							return 1
+						fi
 						net_address="${2}.${3}.${4}.${5}"
 						gateway="${6}.${7}.${8}.${9}"
 						shift 9
 						;;
 					24|23|22|21|20|19|18|17)
+						if [ $# -lt 8 ]; then
+							return 1
+						fi
 						net_address="${2}.${3}.${4}.0"
 						gateway="${5}.${6}.${7}.${8}"
 						shift 8
 						;;
 					16|15|14|13|12|11|10|9)
+						if [ $# -lt 7 ]; then
+							return 1
+						fi
 						net_address="${2}.${3}.0.0"
 						gateway="${4}.${5}.${6}.${7}"
 						shift 7
 						;;
 					8|7|6|5|4|3|2|1)
+						if [ $# -lt 6 ]; then
+							return 1
+						fi
 						net_address="${2}.0.0.0"
 						gateway="${3}.${4}.${5}.${6}"
 						shift 6
 						;;
 					0)	# default route
+						if [ $# -lt 5 ]; then
+							return 1
+						fi
 						net_address="0.0.0.0"
 						gateway="${2}.${3}.${4}.${5}"
 						shift 5

Reply via email to