[pkg-dhcp-devel] Bug#730294: isc-dhcp-client: Infinite loop if rfc3442-classless-static-routes is malformed

Andrew Ayer agwa at andrewayer.name
Sat Nov 23 18:11:12 UTC 2013 

Package: isc-dhcp-client
Version: 4.2.4-7
Severity: normal
Tags: patch

Dear Maintainer,

I recently messed up the value of rfc3442-classless-static-routes
on my DHCP server (I had "16, 10, 150, 0, 0, 10, 150, 3, 1" when
it should have been "16, 10, 150, 10, 150, 3, 1") and this caused
/etc/dhcp/dhclient-exit-hooks.d/rfc3442-classless-routes to go into an
infinite loop on my clients.

The problem is that the rfc3442-classless-routes script processes the
rfc3442-classless-static-routes value using a loop that looks like this:

	while [ $# -gt 0 ]; do
		net_length=$1
		# ...
		case $net_length in
			32|31|30|29|28|27|26|25)
				net_address="${2}.${3}.${4}.${5}"
				gateway="${6}.${7}.${8}.${9}"
				shift 9
				;;
			# ...
		esac
		# ...
	done

If the argument to shift is greater than the number of arguments
available, shift prints an error and doesn't shift any arguments at all.
Thus, if the value of rfc3442-classless-static-routes is malformed and
there are fewer arguments than the value of $net_length requires, it's
possible for no shifting to take place and for $# to never reach 0.

I have included a patch to this script which fixes the problem by bailing
out if $# is too small.  (In addition to fixing the infinite loop,
this also prevents the excution of "ip route add" with bogus values for
$net_address and $gateway.)

Regards,

Andrew

-- System Information:
Debian Release: jessie/sid
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: i386 (i686)

Kernel: Linux 3.11-2-686-pae (SMP w/2 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages isc-dhcp-client depends on:
ii  debianutils      4.4
ii  iproute          1:3.11.0-1
ii  isc-dhcp-common  4.2.4-7
ii  libc6            2.17-96

isc-dhcp-client recommends no packages.

Versions of packages isc-dhcp-client suggests:
pn  avahi-autoipd  <none>
pn  resolvconf     <none>

-- no debconf information
-------------- next part --------------
A non-text attachment was scrubbed...
Name: dhclient-infinite-loop.patch
Type: text/x-diff
Size: 1078 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-dhcp-devel/attachments/20131123/3f3432e1/attachment.patch>

More information about the pkg-dhcp-devel mailing list