I have assigned CVE-2006-3122 to this issue.
Eloy, please let us know which version in sid fixes the problem
when you upload a package.
Andrew, is it ok when we credit you in the advisory for discovery?
Andrew Steets wrote:
> There is a bug in ISC DHCP server version 2 that causes the server to
> unexpectedly exit when it receieves a DHCPOFFER packet with a
> client-identifier option which is exactly 32 bytes long.
>
> A malicious user could use this as a sort of denial of service attack on
> a version 2 dhcp server. This does not appear to be a problem with the
> dhcp version 3 server.
>
> Explanation of the bug:
> The DHCP server has a lease struct which contains a buffer (uid_buf)
> which is 32 bytes long. If it needs more space, it simply malloc's new
> storage. There is an edge condition in supersede_lease() from memory.c
> that causes a 32 byte client-identifier to be mistakenly interpreted as
> a corrupt uid, and so the server exits with the message "corrupt lease
> uid."
Well spotted!
Thanks a lot for the research and the patch.
Regards,
Joey
--
MIME - broken solution for a broken design. -- Ralf Baechle
Please always Cc to me when replying to me on the lists.
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
