Hello community, here is the log from the commit of package dhcp for openSUSE:Factory checked in at 2018-02-02 22:20:07 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/dhcp (Old) and /work/SRC/openSUSE:Factory/.dhcp.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "dhcp" Fri Feb 2 22:20:07 2018 rev:106 rq:571637 version:4.3.5 Changes: -------- --- /work/SRC/openSUSE:Factory/dhcp/dhcp.changes 2017-12-23 12:16:38.135923448 +0100 +++ /work/SRC/openSUSE:Factory/.dhcp.new/dhcp.changes 2018-02-02 22:20:08.711861567 +0100 @@ -1,0 +2,13 @@ +Fri Jan 19 12:16:47 CET 2018 - n...@suse.de + +- Optimized if and when DNS client context and ports + are initted (bsc#1073935) + [+0022-Optimized-if-and-when-DNS-client-context-and-ports.patch] + +------------------------------------------------------------------- +Tue Jan 16 16:15:45 CET 2018 - n...@suse.de + +- Plugs a socket descriptor leak in OMAPI(bsc#1076119, CVE-2017-3144) + [ +0021-master-Plugs-a-socket-descriptor-leak-in-OMAPI.patch] + +------------------------------------------------------------------- New: ---- 0021-master-Plugs-a-socket-descriptor-leak-in-OMAPI.patch 0022-Optimized-if-and-when-DNS-client-context-and-ports.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ dhcp.spec ++++++ --- /var/tmp/diff_new_pack.2HVa0g/_old 2018-02-02 22:20:12.467686227 +0100 +++ /var/tmp/diff_new_pack.2HVa0g/_new 2018-02-02 22:20:12.471686040 +0100 @@ -1,7 +1,7 @@ # # spec file for package dhcp # -# Copyright (c) 2017 SUSE LINUX GmbH, Nuernberg, Germany. +# Copyright (c) 2018 SUSE LINUX GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -113,6 +113,8 @@ # PATCH-FIX-SLE dhcp-4.2.4-P1-interval bsc#947780 Patch19: 0019-dhcp-4.2.4-P1-interval.patch Patch20: 0020-dhcp-4.x.x-fixed-improper-lease-duration-checking.patch +Patch21: 0021-master-Plugs-a-socket-descriptor-leak-in-OMAPI.patch +Patch22: 0022-Optimized-if-and-when-DNS-client-context-and-ports.patch ## PreReq: /bin/touch /sbin/chkconfig sysconfig BuildRoot: %{_tmppath}/%{name}-%{version}-build @@ -249,6 +251,8 @@ %patch18 -p1 %patch19 -p1 %patch20 -p1 +%patch21 -p1 +%patch22 -p1 ## find . -type f -name \*.cat\* -exec rm -f {} \; dos2unix contrib/ms2isc/* ++++++ 0021-master-Plugs-a-socket-descriptor-leak-in-OMAPI.patch ++++++ >From 1a6b62fe17a42b00fa234d06b6dfde3d03451894 Mon Sep 17 00:00:00 2001 From: Thomas Markwalder <tm...@isc.org> Date: Thu, 7 Dec 2017 11:23:36 -0500 Subject: [PATCH] [master] Plugs a socket descriptor leak in OMAPI Merges in rt46767. --- RELNOTES | 5 +++++ omapip/buffer.c | 9 +++++++++ omapip/message.c | 2 +- 3 files changed, 15 insertions(+), 1 deletion(-) diff --git a/RELNOTES b/RELNOTES index cf44b3e..d43e7b3 100644 --- a/RELNOTES +++ b/RELNOTES @@ -919,6 +919,11 @@ by Eric Young (e...@cryptsoft.com). and our website for directions on bug submissions. [ISC-Bugs #24789] +- Plugged a socket descriptor leak in OMAPI, that can occur when there is + data pending to be written to an OMAPI connection, when the connection + is closed by the reader. + [ISc-Bugs #46767] + Changes since 4.2.0 (new features) - If a client renews before 'dhcp-cache-threshold' percent of its lease diff --git a/omapip/buffer.c b/omapip/buffer.c index f7fdc32..809034d 100644 --- a/omapip/buffer.c +++ b/omapip/buffer.c @@ -566,6 +566,15 @@ isc_result_t omapi_connection_writer (omapi_object_t *h) omapi_buffer_dereference (&buffer, MDL); } } + + /* If we had data left to write when we're told to disconnect, + * we need recall disconnect, now that we're done writing. + * See rt46767. */ + if (c->out_bytes == 0 && c->state == omapi_connection_disconnecting) { + omapi_disconnect (h, 1); + return ISC_R_SHUTTINGDOWN; + } + return ISC_R_SUCCESS; } diff --git a/omapip/message.c b/omapip/message.c index 59ccdc2..21bcfc3 100644 --- a/omapip/message.c +++ b/omapip/message.c @@ -339,7 +339,7 @@ isc_result_t omapi_message_unregister (omapi_object_t *mo) } #ifdef DEBUG_PROTOCOL -static const char *omapi_message_op_name(int op) { +const char *omapi_message_op_name(int op) { switch (op) { case OMAPI_OP_OPEN: return "OMAPI_OP_OPEN"; case OMAPI_OP_REFRESH: return "OMAPI_OP_REFRESH"; ++++++ 0022-Optimized-if-and-when-DNS-client-context-and-ports.patch ++++++ >From df869de2b9f95f14ce4eca142afaf0f1fef29809 Mon Sep 17 00:00:00 2001 From: Nirmoy Das <n...@suse.de> Date: Thu, 11 Jan 2018 10:20:59 +0100 Subject: [PATCH] modified for SLES >From ca22af89996483efd820de0084c964fc336ee7c1 Mon Sep 17 00:00:00 2001 From: Thomas Markwalder <tm...@isc.org> Date: Mon, 19 Jun 2017 14:44:29 -0400 Subject: [PATCH] [master] Optimized if and when DNS client context and ports are initted Merges in rt45290. --- RELNOTES | 9 ++++++ client/dhclient.8 | 5 +-- client/dhclient.c | 4 +-- common/dns.c | 15 +++++++-- includes/omapip/isclib.h | 9 +++++- omapip/isclib.c | 80 ++++++++++++++++++++++++++++++------------------ relay/dhcrelay.c | 3 +- server/dhcpd.8 | 6 ++-- server/dhcpd.c | 14 ++++++--- 9 files changed, 100 insertions(+), 45 deletions(-) --- client/dhclient.8 | 5 +-- client/dhclient.c | 4 +-- common/dns.c | 15 +++++++-- includes/omapip/isclib.h | 9 +++++- omapip/isclib.c | 80 ++++++++++++++++++++++++++++++------------------ relay/dhcrelay.c | 3 +- server/dhcpd.8 | 4 +-- server/dhcpd.c | 14 ++++++--- 8 files changed, 90 insertions(+), 44 deletions(-) diff --git a/client/dhclient.8 b/client/dhclient.8 index d9a26b7..8991e16 100644 --- a/client/dhclient.8 +++ b/client/dhclient.8 @@ -461,8 +461,9 @@ port will be used for the established connection. When DDNS is enabled at compile time (see includes/site.h) the client will open both a v4 and a v6 UDP socket on -random ports. These ports are opened even if DDNS is disabled -in the configuration file. +random ports. These ports are not opened unless/until the +client first attempts to do an update. If the client is not +configured to do updates, the ports will never be opened. .PP .SH CONFIGURATION The syntax of the \fBdhclient.conf(5)\fR file is discussed separately. diff --git a/client/dhclient.c b/client/dhclient.c index 2804ea8..d3fe751 100644 --- a/client/dhclient.c +++ b/client/dhclient.c @@ -187,8 +187,8 @@ main(int argc, char **argv) { #endif /* Set up the isc and dns library managers */ - status = dhcp_context_create(DHCP_CONTEXT_PRE_DB | DHCP_CONTEXT_POST_DB, - NULL, NULL); + status = dhcp_context_create(DHCP_CONTEXT_PRE_DB | DHCP_CONTEXT_POST_DB + | DHCP_DNS_CLIENT_LAZY_INIT, NULL, NULL); if (status != ISC_R_SUCCESS) log_fatal("Can't initialize context: %s", isc_result_totext(status)); diff --git a/common/dns.c b/common/dns.c index 0f8be80..2ca4ba8 100644 --- a/common/dns.c +++ b/common/dns.c @@ -3,8 +3,7 @@ Domain Name Service subroutines. */ /* - * Copyright (c) 2009-2015 by Internet Systems Consortium, Inc. ("ISC") - * Copyright (c) 2004-2007 by Internet Systems Consortium, Inc. ("ISC") + * Copyright (c) 2004-2017 by Internet Systems Consortium, Inc. ("ISC") * Copyright (c) 2001-2003 by Internet Software Consortium * * Permission to use, copy, modify, and distribute this software for any @@ -2151,6 +2150,12 @@ ddns_modify_fwd(dhcp_ddns_cb_t *ddns_cb, const char *file, int line) isc_sockaddrlist_t *zlist = NULL; + /* Creates client context if we need to */ + result = dns_client_init(); + if (result != ISC_R_SUCCESS) { + return result; + } + /* Get a pointer to the clientname to make things easier. */ clientname = (unsigned char *)ddns_cb->fwd_name.data; @@ -2359,6 +2364,12 @@ ddns_modify_ptr(dhcp_ddns_cb_t *ddns_cb, const char *file, int line) unsigned char buf[256]; int buflen; + /* Creates client context if we need to */ + result = dns_client_init(); + if (result != ISC_R_SUCCESS) { + return result; + } + /* * Try to lookup the zone in the zone cache. As with the forward * case it's okay if we don't have one, the DNS code will try to diff --git a/includes/omapip/isclib.h b/includes/omapip/isclib.h index caa388a..e296308 100644 --- a/includes/omapip/isclib.h +++ b/includes/omapip/isclib.h @@ -3,7 +3,7 @@ connections to the isc and dns libraries */ /* - * Copyright (c) 2009,2013,2014 by Internet Systems Consortium, Inc. ("ISC") + * Copyright (c) 2009-2017 by Internet Systems Consortium, Inc. ("ISC") * * Permission to use, copy, modify, and distribute this software for any * purpose with or without fee is hereby granted, provided that the above @@ -98,6 +98,10 @@ typedef struct dhcp_context { isc_timermgr_t *timermgr; #if defined (NSUPDATE) dns_client_t *dnsclient; + int use_local4; + isc_sockaddr_t local4_sockaddr; + int use_local6; + isc_sockaddr_t local6_sockaddr; #endif } dhcp_context_t; @@ -125,6 +129,7 @@ isclib_make_dst_key(char *inname, #define DHCP_CONTEXT_PRE_DB 1 #define DHCP_CONTEXT_POST_DB 2 +#define DHCP_DNS_CLIENT_LAZY_INIT 4 isc_result_t dhcp_context_create(int flags, struct in_addr *local4, struct in6_addr *local6); @@ -133,4 +138,6 @@ void isclib_cleanup(void); void dhcp_signal_handler(int signal); extern int shutdown_signal; +isc_result_t dns_client_init(); + #endif /* ISCLIB_H */ diff --git a/omapip/isclib.c b/omapip/isclib.c index 13f0d3e..ce86490 100644 --- a/omapip/isclib.c +++ b/omapip/isclib.c @@ -1,5 +1,5 @@ /* - * Copyright(c) 2009-2010,2013-2014 by Internet Systems Consortium, Inc.("ISC") + * Copyright(c) 2009-2017 by Internet Systems Consortium, Inc.("ISC") * * Permission to use, copy, modify, and distribute this software for any * purpose with or without fee is hereby granted, provided that the above @@ -221,39 +221,24 @@ dhcp_context_create(int flags, #if defined (NSUPDATE) if ((flags & DHCP_CONTEXT_POST_DB) != 0) { - isc_sockaddr_t localaddr4, *localaddr4_ptr = NULL; - isc_sockaddr_t localaddr6, *localaddr6_ptr = NULL; + /* Setting addresses only. + * All real work will be done later on if needed to avoid + * listening on ddns port if client/server was compiled with + * ddns support but not using it. */ if (local4 != NULL) { - isc_sockaddr_fromin(&localaddr4, local4, 0); - localaddr4_ptr = &localaddr4; + dhcp_gbl_ctx.use_local4 = 1; + isc_sockaddr_fromin(&dhcp_gbl_ctx.local4_sockaddr, + local4, 0); } + if (local6 != NULL) { - isc_sockaddr_fromin6(&localaddr6, local6, 0); - localaddr6_ptr = &localaddr6; + dhcp_gbl_ctx.use_local6 = 1; + isc_sockaddr_fromin6(&dhcp_gbl_ctx.local6_sockaddr, + local6, 0); } - result = dns_client_createx2(dhcp_gbl_ctx.mctx, - dhcp_gbl_ctx.actx, - dhcp_gbl_ctx.taskmgr, - dhcp_gbl_ctx.socketmgr, - dhcp_gbl_ctx.timermgr, - 0, - &dhcp_gbl_ctx.dnsclient, - localaddr4_ptr, - localaddr6_ptr); - if (result != ISC_R_SUCCESS) - goto cleanup; - - /* - * If we can't set up the servers we may not be able to - * do DDNS but we should continue to try and perform - * our basic functions and let the user sort it out. - */ - result = dhcp_dns_client_setservers(); - if (result != ISC_R_SUCCESS) { - log_error("Unable to set resolver from resolv.conf; " - "startup continuing but DDNS support " - "may be affected"); + if (!(flags & DHCP_DNS_CLIENT_LAZY_INIT)) { + result = dns_client_init(); } } #endif @@ -360,3 +345,40 @@ void dhcp_signal_handler(int signal) { (void) isc_app_ctxsuspend(ctx); } } + +isc_result_t dns_client_init() { + isc_result_t result; + if (dhcp_gbl_ctx.dnsclient == NULL) { + result = dns_client_createx2(dhcp_gbl_ctx.mctx, + dhcp_gbl_ctx.actx, + dhcp_gbl_ctx.taskmgr, + dhcp_gbl_ctx.socketmgr, + dhcp_gbl_ctx.timermgr, + 0, + &dhcp_gbl_ctx.dnsclient, + (dhcp_gbl_ctx.use_local4 ? + &dhcp_gbl_ctx.local4_sockaddr + : NULL), + (dhcp_gbl_ctx.use_local6 ? + &dhcp_gbl_ctx.local6_sockaddr + : NULL)); + + if (result != ISC_R_SUCCESS) { + log_error("Unable to create DNS client context:" + " result: %d", result); + return result; + } + + /* If we can't set up the servers we may not be able to + * do DDNS but we should continue to try and perform + * our basic functions and let the user sort it out. */ + result = dhcp_dns_client_setservers(); + if (result != ISC_R_SUCCESS) { + log_error("Unable to set resolver from resolv.conf; " + "startup continuing but DDNS support " + "may be affected: result %d", result); + } + } + + return ISC_R_SUCCESS; +} diff --git a/relay/dhcrelay.c b/relay/dhcrelay.c index 9d39fae..3abbe1e 100644 --- a/relay/dhcrelay.c +++ b/relay/dhcrelay.c @@ -204,8 +204,7 @@ main(int argc, char **argv) { #endif /* Set up the isc and dns library managers */ - status = dhcp_context_create(DHCP_CONTEXT_PRE_DB | DHCP_CONTEXT_POST_DB, - NULL, NULL); + status = dhcp_context_create(DHCP_CONTEXT_PRE_DB, NULL, NULL); if (status != ISC_R_SUCCESS) log_fatal("Can't initialize context: %s", isc_result_totext(status)); diff --git a/server/dhcpd.8 b/server/dhcpd.8 index bfda639..259b91c 100644 --- a/server/dhcpd.8 +++ b/server/dhcpd.8 @@ -358,8 +358,8 @@ port will be used for the established connection. When DDNS is enabled at compile time (see includes/site.h) the server will open both a v4 and a v6 UDP socket on -random ports. These ports are opened even if DDNS is disabled -in the configuration file. +random ports, unless DDNS updates are globally disabled by +setting ddns-update-style to none in the configuration file. .PP .SH CONFIGURATION The syntax of the dhcpd.conf(5) file is discussed separately. This diff --git a/server/dhcpd.c b/server/dhcpd.c index 0f5c640..d7c4456 100644 --- a/server/dhcpd.c +++ b/server/dhcpd.c @@ -1053,10 +1053,16 @@ void postconf_initialization (int quiet) } } - if (dhcp_context_create(DHCP_CONTEXT_POST_DB, local4_ptr, local6_ptr) - != ISC_R_SUCCESS) - log_fatal("Unable to complete ddns initialization"); - + /* Don't init DNS client if update style is none. This avoids + * listening ports that aren't needed. We don't use ddns-udpates + * as that has multiple levels of scope. */ + if (ddns_update_style != DDNS_UPDATE_STYLE_NONE) { + if (dhcp_context_create(DHCP_CONTEXT_POST_DB, + local4_ptr, local6_ptr) + != ISC_R_SUCCESS) { + log_fatal("Unable to complete ddns initialization"); + } + } #else /* If we don't have support for updates compiled in tell the user */ if (ddns_update_style != DDNS_UPDATE_STYLE_NONE) { -- 2.15.0