This looks like a possible use-after-free so likely has a security impact (at a minimum it is a denial of service due to the crash, especially if it can be triggered remotely) - I've reported it to ISC as such who will hopefully assign a CVE and then we can fix it as a security update. For future reference, the RT #48804 contains a patch that should likely be fine for Bionic https://bugs.isc.org/Public/Ticket/Attachment/534989/331007/46719.v4_3.diff
-- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to isc-dhcp in Ubuntu. https://bugs.launchpad.net/bugs/1781699 Title: DHCPv6 server crashes regularly (bionic) Status in DHCP: Unknown Status in isc-dhcp package in Ubuntu: Triaged Status in isc-dhcp package in Debian: New Status in isc-dhcp package in Fedora: Unknown Bug description: The isc-dhcp-server crashes regularly on bionic, sometimes directly after boot, sometimes later. The version installed is 4.3.5-3ubuntu7. journalctl shows: Jul 14 09:35:11 <hostname> dhcpd[1543]: Solicit message from fe80::18eb:dfc7:17e5:c8d7 port 546, transaction ID 0x7E8EC00 Jul 14 09:35:11 <hostname> dhcpd[1543]: Advertise NA: address <subnet>::1998 to client with duid 00:01:00:01:21:9f:3a:02:d4:a3:3d:bf:17:e9 iaid = 0 valid for 8 Jul 14 09:35:11 <hostname> dhcpd[1543]: Sending Advertise to fe80::18eb:dfc7:17e5:c8d7 port 546 Jul 14 09:35:12 <hostname> dhcpd[1543]: Request message from fe80::18eb:dfc7:17e5:c8d7 port 546, transaction ID 0x65FADB00 Jul 14 09:35:12 <hostname> dhcpd[1543]: Reply NA: address <subnet>::1998 to client with duid 00:01:00:01:21:9f:3a:02:d4:a3:3d:bf:17:e9 iaid = 0 valid for 86400 Jul 14 09:35:12 <hostname> dhcpd[1543]: Sending Reply to fe80::18eb:dfc7:17e5:c8d7 port 546 Jul 14 09:35:53 <hostname> dhcpd[1543]: Confirm message from fe80::725a:b6ff:fea2:6120 port 546, transaction ID 0x5105F400 Jul 14 09:35:53 <hostname> dhcpd[1543]: Sending Reply to fe80::725a:b6ff:fea2:6120 port 546 Jul 14 09:35:53 <hostname> dhcpd[1543]: Rebind message from fe80::725a:b6ff:fea2:6120 port 546, transaction ID 0x1FEA7E00 Jul 14 09:35:53 <hostname> dhcpd[1543]: Reply NA: address <subnet>::1992 to client with duid 00:04:c2:47:10:e8:8b:dc:d4:a1:0a:1d:21:f2:be:20:e8:a0 iaid = -1230 Jul 14 09:35:53 <hostname> sh[1543]: ../../../lib/isc/heap.c:251: REQUIRE(idx >= 1 && idx <= heap->last) failed, back trace Jul 14 09:35:53 <hostname> sh[1543]: #0 0x7efc458a6417 in ?? Jul 14 09:35:53 <hostname> sh[1543]: #1 0x7efc458a636a in ?? Jul 14 09:35:53 <hostname> sh[1543]: #2 0x7efc458ad4ea in ?? Jul 14 09:35:53 <hostname> sh[1543]: #3 0x55d9ee65d571 in ?? Jul 14 09:35:53 <hostname> sh[1543]: #4 0x55d9ee658701 in ?? Jul 14 09:35:53 <hostname> sh[1543]: #5 0x55d9ee65ab05 in ?? Jul 14 09:35:53 <hostname> sh[1543]: #6 0x55d9ee65bff3 in ?? Jul 14 09:35:53 <hostname> sh[1543]: #7 0x55d9ee65cafc in ?? Jul 14 09:35:53 <hostname> sh[1543]: #8 0x55d9ee678402 in ?? Jul 14 09:35:53 <hostname> sh[1543]: #9 0x55d9ee667463 in ?? Jul 14 09:35:53 <hostname> sh[1543]: #10 0x55d9ee696476 in ?? Jul 14 09:35:53 <hostname> sh[1543]: #11 0x7efc458dd73b in ?? Jul 14 09:35:53 <hostname> sh[1543]: #12 0x7efc458ccf9e in ?? Jul 14 09:35:53 <hostname> sh[1543]: #13 0x7efc458d1e60 in ?? Jul 14 09:35:53 <hostname> sh[1543]: #14 0x7efc458d2325 in ?? Jul 14 09:35:53 <hostname> sh[1543]: #15 0x55d9ee6696b0 in ?? Jul 14 09:35:53 <hostname> sh[1543]: #16 0x55d9ee61d519 in ?? Jul 14 09:35:53 <hostname> sh[1543]: #17 0x7efc454c6b97 in ?? Jul 14 09:35:53 <hostname> sh[1543]: #18 0x55d9ee61de0a in ?? Jul 14 09:35:54 <hostname> systemd[1]: isc-dhcp-server6.service: Main process exited, code=dumped, status=6/ABRT Jul 14 09:35:54 <hostname> systemd[1]: isc-dhcp-server6.service: Failed with result 'core-dump'. The bug was reported to Debian independently, https://bugs.debian.org /cgi-bin/bugreport.cgi?bug=896122. To manage notifications about this bug go to: https://bugs.launchpad.net/dhcp/+bug/1781699/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
