Hi all,
I received a segmentation fault from dhclient(8) upon boot and decided
to investigate... My system is running with vm.malloc_conf=CFGJUR and
figured one of those options was the cause of the crash. I noticed that
the buffer which holds my config options contained a lot of junk at the
end and learned that 'J' is to blame together with a missing \0.
How to reproduce:
# sysctl vm.malloc_conf=J
# cp /etc/dhclient.conf /etc/dhclient.conf.backup
# echo 'supersede domain-name "ifconfig.se";' > /etc/dhclient.conf
Then run 'dhclient if0' a lot of times until it crashes, sometimes it
takes more than 100 attempts. Using vm.malloc_conf=CFGJUR might trigger
it faster.
In clparse.c:916, malloc(3) is used to get a buffer of the same length
as the option in the config file. But with 'J' in vm.malloc_conf, the
buffer is bigger and contains junk. I wouldn't say that my fix is the
prettiest, but I get an extra byte and zero out the buffer. Maybe
someone has a more elegant fix for this.
Yours,
Jesper Wallin
Index: clparse.c
===================================================================
RCS file: /cvs/src/sbin/dhclient/clparse.c,v
retrieving revision 1.199
diff -u -p -r1.199 clparse.c
--- clparse.c 13 May 2020 20:55:41 -0000 1.199
+++ clparse.c 6 Jul 2020 21:25:54 -0000
@@ -913,7 +913,8 @@ parse_option(FILE *cfile, int *code, str
} while (*fmt == 'A' && token == ',');
free(options[i].data);
- options[i].data = malloc(hunkix);
+ options[i].data = malloc(hunkix+1);
+ memset(options[i].data, 0, hunkix+1);
if (options[i].data == NULL)
fatal("option data");
memcpy(options[i].data, hunkbuf, hunkix);
