Content-Type: text/html; charset="utf-8"
Content-Transfer-Encoding: 7bit
X-RT-Original-Encoding: utf-8
Content-Length: 5314

<html>
  <head>
    <meta content="text/html; charset=ISO-8859-1"
      http-equiv="Content-Type">
  </head>
  <body text="#000000" bgcolor="#FFFFFF">
    On 02/22/2012 08:32 PM, Shawn Routhier wrote:
    <blockquote cite="mid:43B4C5BA-9CC8-4C18-9320-D0525AC2A4BE@isc.org"
      type="cite"><span class="Apple-style-span" style="font-family:
        arial, helvetica, sans-serif; font-size: 14px; line-height:
        17px; "></span>
      <div><span class="Apple-style-span" style="font-family:
          arial,helvetica,sans-serif; font-size: 14px; line-height:
          17px;">Thank you for your report. &nbsp;We've looked it over and
          there does<br>
          seem to be a problem in the timer code. &nbsp;We're trying to
          figure<br>
          out how it got triggered and how serious it is. &nbsp;Currently we
          think<br>
          it is most likely a configuration issue and so wouldn't be a
          good<br>
          DOS vector.<br>
          <br>
        </span></div>
    </blockquote>
    Yes, nor I've thought it's a security problem since I managed to
    reproduce it.<br>
    <br>
    <blockquote cite="mid:43B4C5BA-9CC8-4C18-9320-D0525AC2A4BE@isc.org"
      type="cite">
      <div><span class="Apple-style-span" style="font-family:
          arial,helvetica,sans-serif; font-size: 14px; line-height:
          17px;">While we look into this we were hoping you might be
          able to<br>
          do some tests and gather some information as well.<br>
          <br>
          Do you know if John tried this with other versions of the
          code?<br>
          Specifically any of the 4.1x versions?<br>
          <br>
        </span></div>
    </blockquote>
    I'll ask but I don't think so as we haven't 4.1 in any supported
    Fedora version and<br>
    he wrote that ha was using dnsmasq as a workaround.<br>
    But I tried to reproduce it with dhcp-4.1.1-P1 and it seems OK<br>
    (well, it should be as the problematic code was added in 4.2.0).<br>
    <br>
    <blockquote cite="mid:43B4C5BA-9CC8-4C18-9320-D0525AC2A4BE@isc.org"
      type="cite">
      <div><span class="Apple-style-span" style="font-family:
          arial,helvetica,sans-serif; font-size: 14px; line-height:
          17px;">Can the test be run with at least two more values for
          the lease times<br>
          instead of "infinite"? &nbsp;The two sets of values that would be
          interesting<br>
          to us are a large number but less than 2^^31 - 1 and a number
          between<br>
          2^^31 and 2^^32 - 1.&nbsp;<br>
          <br>
        </span></div>
    </blockquote>
    I tried it with several values and the result depends on whether<br>
    the (number + cur_tv.tv_sec) is less or more than 2^32-1<br>
    <br>
    results when cur_tv.tv_sec = 1329992027<br>
    -------------------<br>
    2000000000&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; :&nbsp; ok<br>
    2147483647 (2^31-1) :&nbsp; ok<br>
    2700000000&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; :&nbsp; ok (2700000000 + cur_tv.tv_sec =
    4029992027 &lt; 2^32-1)<br>
    3000000000 &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp; :&nbsp; not ok (3000000000 + cur_tv.tv_sec =
    4329992027 &gt; 2^32-1)<br>
    4294967295 (2^32-1) :&nbsp; not ok<br>
    <br>
    <blockquote cite="mid:43B4C5BA-9CC8-4C18-9320-D0525AC2A4BE@isc.org"
      type="cite">
      <div><span class="Apple-style-span" style="font-family:
          arial,helvetica,sans-serif; font-size: 14px; line-height:
          17px;">In the pcap you sent us the client is receiving a lease
          time value of<br>
          80000, but I don't see anything in the configuration file that
          would<br>
          lead to that value. &nbsp;Does that value ring any bells for you or
          John<br>
          (perhaps an older config file? or something leftover from the
          client?)<br>
          <br>
        </span></div>
    </blockquote>
    Yes, I had noted that too but forgot to ask John. I'll do that.<br>
    <br>
    <blockquote cite="mid:43B4C5BA-9CC8-4C18-9320-D0525AC2A4BE@isc.org"
      type="cite">
      <div><span class="Apple-style-span" style="font-family:
          arial,helvetica,sans-serif; font-size: 14px; line-height:
          17px;">While I wouldn't expect it to show much it would be
          interesting to get<br>
          a copy of the lease file to see what the server was trying to
          record at<br>
          the time of failure.<br>
        </span></div>
    </blockquote>
    I'm attaching mine and will ask John for his.<br>
    <br>
    <blockquote cite="mid:43B4C5BA-9CC8-4C18-9320-D0525AC2A4BE@isc.org"
      type="cite">
      <div><span class="Apple-style-span" style="font-family: arial,
          helvetica, sans-serif; font-size: 14px; line-height: 17px; "><br>
          As normal the fix looks like a good start, we may need to
          modify it<br>
          for other compilers (as I recall that's why we included the
          &amp; DHCP_SEC_MAX<br>
          in the previous patch and after we review it some more.<br>
        </span></div>
      <br>
    </blockquote>
    Thanks.<br>
    <br>
    --<br>
    Jiri<br>
  </body>
</html>