@@ -17,6 +17,8 @@ SRC_URI = "https://downloads.isc.org/isc/dhcp/${PV}/dhcp-${PV}.tar.gz \
file://0001-Makefile.am-only-build-dhcrelay.patch \
file://0002-bind-Makefile.in-disable-backtrace.patch \
file://0003-bind-Makefile.in-regenerate-configure.patch \
+ file://CVE-2022-2928.patch \
+ file://CVE-2022-2929.patch \
"
SRC_URI[sha256sum] = "0e3ec6b4c2a05ec0148874bcd999a66d05518378d77421f607fb0bc9d0135818"
new file mode 100644
@@ -0,0 +1,120 @@
+From 2e08d138ff852820a6e87a09088d2dc2cdd15e56 Mon Sep 17 00:00:00 2001
+From: Hitendra Prajapati <hprajapati@mvista.com>
+Date: Mon, 10 Oct 2022 09:57:15 +0530
+Subject: [PATCH 1/2] CVE-2022-2928
+
+Upstream-Status: Backport [https://downloads.isc.org/isc/dhcp/4.4.3-P1/patches/]
+CVE: CVE-2022-2928
+Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
+---
+ common/options.c | 7 +++++
+ common/tests/option_unittest.c | 54 ++++++++++++++++++++++++++++++++++
+ 2 files changed, 61 insertions(+)
+
+diff --git a/common/options.c b/common/options.c
+index 92c8fee..f0959cb 100644
+--- a/common/options.c
++++ b/common/options.c
+@@ -4452,6 +4452,8 @@ add_option(struct option_state *options,
+ if (!option_cache_allocate(&oc, MDL)) {
+ log_error("No memory for option cache adding %s (option %d).",
+ option->name, option_num);
++ /* Get rid of reference created during hash lookup. */
++ option_dereference(&option, MDL);
+ return 0;
+ }
+
+@@ -4463,6 +4465,8 @@ add_option(struct option_state *options,
+ MDL)) {
+ log_error("No memory for constant data adding %s (option %d).",
+ option->name, option_num);
++ /* Get rid of reference created during hash lookup. */
++ option_dereference(&option, MDL);
+ option_cache_dereference(&oc, MDL);
+ return 0;
+ }
+@@ -4471,6 +4475,9 @@ add_option(struct option_state *options,
+ save_option(&dhcp_universe, options, oc);
+ option_cache_dereference(&oc, MDL);
+
++ /* Get rid of reference created during hash lookup. */
++ option_dereference(&option, MDL);
++
+ return 1;
+ }
+
+diff --git a/common/tests/option_unittest.c b/common/tests/option_unittest.c
+index 600ebe6..963b566 100644
+--- a/common/tests/option_unittest.c
++++ b/common/tests/option_unittest.c
+@@ -213,6 +213,59 @@ ATF_TC_BODY(parse_X, tc)
+ }
+ }
+
++ATF_TC(add_option_ref_cnt);
++
++ATF_TC_HEAD(add_option_ref_cnt, tc)
++{
++ atf_tc_set_md_var(tc, "descr",
++ "Verify add_option() does not leak option ref counts.");
++}
++
++ATF_TC_BODY(add_option_ref_cnt, tc)
++{
++ struct option_state *options = NULL;
++ struct option *option = NULL;
++ unsigned int cid_code = DHO_DHCP_CLIENT_IDENTIFIER;
++ char *cid_str = "1234";
++ int refcnt_before = 0;
++
++ // Look up the option we're going to add.
++ initialize_common_option_spaces();
++ if (!option_code_hash_lookup(&option, dhcp_universe.code_hash,
++ &cid_code, 0, MDL)) {
++ atf_tc_fail("cannot find option definition?");
++ }
++
++ // Get the option's reference count before we call add_options.
++ refcnt_before = option->refcnt;
++
++ // Allocate a option_state to which to add an option.
++ if (!option_state_allocate(&options, MDL)) {
++ atf_tc_fail("cannot allocat options state");
++ }
++
++ // Call add_option() to add the option to the option state.
++ if (!add_option(options, cid_code, cid_str, strlen(cid_str))) {
++ atf_tc_fail("add_option returned 0");
++ }
++
++ // Verify that calling add_option() only adds 1 to the option ref count.
++ if (option->refcnt != (refcnt_before + 1)) {
++ atf_tc_fail("after add_option(), count is wrong, before %d, after: %d",
++ refcnt_before, option->refcnt);
++ }
++
++ // Derefrence the option_state, this should reduce the ref count to
++ // it's starting value.
++ option_state_dereference(&options, MDL);
++
++ // Verify that dereferencing option_state restores option ref count.
++ if (option->refcnt != refcnt_before) {
++ atf_tc_fail("after state deref, count is wrong, before %d, after: %d",
++ refcnt_before, option->refcnt);
++ }
++}
++
+ /* This macro defines main() method that will call specified
+ test cases. tp and simple_test_case names can be whatever you want
+ as long as it is a valid variable identifier. */
+@@ -221,6 +274,7 @@ ATF_TP_ADD_TCS(tp)
+ ATF_TP_ADD_TC(tp, option_refcnt);
+ ATF_TP_ADD_TC(tp, pretty_print_option);
+ ATF_TP_ADD_TC(tp, parse_X);
++ ATF_TP_ADD_TC(tp, add_option_ref_cnt);
+
+ return (atf_no_error());
+ }
+--
+2.25.1
+
new file mode 100644
@@ -0,0 +1,40 @@
+From 5436cafe1d7df409a44ff5f610248db57f0677ee Mon Sep 17 00:00:00 2001
+From: Hitendra Prajapati <hprajapati@mvista.com>
+Date: Mon, 10 Oct 2022 09:58:04 +0530
+Subject: [PATCH 2/2] CVE-2022-2929
+
+Upstream-Status: Backport [https://downloads.isc.org/isc/dhcp/4.4.3-P1/patches/]
+CVE: CVE-2022-2929
+Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
+---
+ common/options.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/common/options.c b/common/options.c
+index f0959cb..25450e1 100644
+--- a/common/options.c
++++ b/common/options.c
+@@ -454,16 +454,16 @@ int fqdn_universe_decode (struct option_state *options,
+ while (s < &bp -> data[0] + length + 2) {
+ len = *s;
+ if (len > 63) {
+- log_info ("fancy bits in fqdn option");
+- return 0;
++ log_info ("label length exceeds 63 in fqdn option");
++ goto bad;
+ }
+ if (len == 0) {
+ terminated = 1;
+ break;
+ }
+ if (s + len > &bp -> data [0] + length + 3) {
+- log_info ("fqdn tag longer than buffer");
+- return 0;
++ log_info ("fqdn label longer than buffer");
++ goto bad;
+ }
+
+ if (first_len == 0) {
+--
+2.25.1
+
Source: https://downloads.isc.org/isc/dhcp MR: 122791, 122806 Type: Security Fix Disposition: Backport from https://downloads.isc.org/isc/dhcp/4.4.3-P1/patches/ ChangeID: e90f768e445b7d41b86f04c634cc125546998f0f Description: Fixed CVEs: 1. CVE-2022-2928 2. CVE-2022-2929 Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> --- .../dhcp/dhcp-relay_4.4.3.bb | 2 + .../dhcp/files/CVE-2022-2928.patch | 120 ++++++++++++++++++ .../dhcp/files/CVE-2022-2929.patch | 40 ++++++ 3 files changed, 162 insertions(+) create mode 100644 meta-networking/recipes-connectivity/dhcp/files/CVE-2022-2928.patch create mode 100644 meta-networking/recipes-connectivity/dhcp/files/CVE-2022-2929.patch