X-Scanned-BY: MIMEDefang 2.64 on 203.33.60.161
CC: db.pub.mail@gmail.com, 622380-forwarded@bugs.debian.org, 622380@bugs.debian.org
MIME-Version: 1.0
X-Spam-Status: No, score=-1.1 required=5.0 tests=BAYES_00,RDNS_NONE autolearn=no version=3.3.1
Content-Disposition: inline
content-type: text/plain; charset="utf-8"
Message-ID: <20110826054414.GA5758@icarus.andrew.net.au>
Received: from mx.pao1.isc.org (mx.pao1.isc.org [149.20.64.53]) by bugs.isc.org (Postfix) with ESMTP id 3DE0620EE275 for <dhcp-bugs@bugs.isc.org>; Fri, 26 Aug 2011 05:44:55 +0000 (UTC)
Received: from daedalus.andrew.net.au (unknown [IPv6:2402:c00:1:7:214:22ff:fe0d:d5d6]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client CN "*.andrew.net.au", Issuer "Andrew Pollock Pty Ltd" (not verified)) by mx.pao1.isc.org (Postfix) with ESMTPS id C62E5C9423 for <dhcp-bugs@isc.org>; Fri, 26 Aug 2011 05:44:38 +0000 (UTC) (envelope-from apollock@andrew.net.au)
Received: from icarus.andrew.net.au (173-13-185-29-sfba.hfc.comcastbusiness.net [173.13.185.29]) (authenticated bits=0) by daedalus.andrew.net.au (8.14.3/8.14.3/Debian-5+lenny1) with ESMTP id p7Q5iFiV010872 (version=TLSv1/SSLv3 cipher=AES256-SHA bits=256 verify=NOT); Fri, 26 Aug 2011 15:44:23 +1000
Received: from apollock by icarus.andrew.net.au with local (Exim 4.72) (envelope-from <apollock@icarus.andrew.net.au>) id 1QwpDD-0001Wn-6S; Thu, 25 Aug 2011 22:44:15 -0700
Delivered-To: dhcp-bugs@bugs.isc.org
Subject: [db.pub.mail@gmail.com: Bug#622380: isc-dhcp-client: IPv6 address buffer size mismatch and comment error]
User-Agent: Mutt/1.5.20 (2009-06-14)
Return-Path: <apollock@andrew.net.au>
X-Original-To: dhcp-bugs@bugs.isc.org
Date: Thu, 25 Aug 2011 22:44:15 -0700
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on mx.pao1.isc.org
To: dhcp-bugs@isc.org
From: Andrew Pollock <apollock@debian.org>
X-RT-Original-Encoding: us-ascii
Content-Length: 3721

Hello,

One of our users reported this bug. I'm not sure if it's already reported in
your bug tracker or not.

Please maintain the Cc to keep our bug tracking system in the loop.

regards

Andrew

----- Forwarded message from david b <db.pub.mail@gmail.com> -----

Date: Wed, 13 Apr 2011 01:44:47 +1000
From: david b <db.pub.mail@gmail.com>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#622380: isc-dhcp-client: minor bug
X-Mailer: reportbug 4.12.6

Package: isc-dhcp-client
Version: 4.1.1-P1-15+squeeze2
Severity: important

I have given up on upstream & and their bug tracking is "closed" anyway.

Over a few emails I sent the following to isc.

"
In 
dhcpclient.c

dhcp()
...
char addrbuf[4*16];
...
...
The following comment is just plain wrong:

                       /* piaddr() returns its result in a static
                          buffer sized 4*16 (see common/inet.c). */

Why? because sizeof pbuf is 46.
source:  static char
pbuf[sizeof("ffff:ffff:ffff:ffff:ffff:ffff:255.255.255.255")];

Ok.

Now in dhcpv6()
...

char addrbuf[sizeof("ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff")];
the sizeof addrbuf is 40.

Following along:

       /* Discard, with log, packets from quenched sources. */
       for (ap = packet->interface->client->config->reject_list ;
            ap ; ap = ap->next) {
               if (addr_match(&packet->client_addr, &ap->match)) {

Ah... --->  strcpy(addrbuf, piaddr(packet->client_addr));



                       log_info("%s from %s rejected by rule %s",
                                dhcpv6_type_names[packet->dhcpv6_msg_type],
                                addrbuf,
                                piaddrmask(&ap->match.addr, &ap->match.mask));
                       return;
               }
       }

>>From the strcpy manual:
The  strcpy()  function  copies  the  string pointed to by src,
including the terminating null byte ('\0'), to the buffer  pointed to
by dest.  The strings may not overlap, and the destination string dest
must be large  enough  to  receive  the  copy.

The man page for inet_ntop states the following:

      AF_INET6
             src  points  to  a struct in6_addr (in network byte
order) which is converted to a representation of this address in the
most
             appropriate IPv6 network address format for this
address.  The buffer dst must be at least INET6_ADDRSTRLEN bytes long.


INET6_ADDRSTRLEN  is  46,( #define INET6_ADDRSTRLEN 46 )

I prefer to not disagree with manuals (46 > 40).

Even if you decide to ignore this ->
In the following *should* be fixed:
1. the incorrect comment needs to be either removed or 'corrected'
2. addrbuf for ipv6 should be at least 46 or INET6_ADDRSTRLEN long.
"



-- System Information:
Debian Release: 6.0.1
  APT prefers stable
  APT policy: (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.38.2 (SMP w/4 CPU cores)
Locale: LANG=en_AU.UTF-8, LC_CTYPE=en_AU.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash

Versions of packages isc-dhcp-client depends on:
ii  debianutils         3.4                  Miscellaneous utilities specific t
ii  iproute             20100519-3           networking and traffic control too
ii  isc-dhcp-common     4.1.1-P1-15+squeeze2 common files used by all the isc-d
ii  libc6               2.11.2-10            Embedded GNU C Library: Shared lib

isc-dhcp-client recommends no packages.

Versions of packages isc-dhcp-client suggests:
pn  avahi-autoipd                 <none>     (no description available)
pn  resolvconf                    <none>     (no description available)

-- Configuration Files:
/etc/dhcp/dhclient.conf changed [not included]

-- no debconf information




----- End forwarded message -----