MIME-Version: 1.0 In-Reply-To: X-Mailer: MIME-tools 5.428 (Entity 5.428) Content-Disposition: inline References: <4F461680.1090205@redhat.com> <4F4625A7.7080009@redhat.com> <20120223115149.GB9312@movementarian.org> Content-Type: text/html; charset="UTF-8" Message-ID: Content-Transfer-Encoding: binary X-RT-Original-Encoding: utf-8 RT-Send-CC: levon@movementarian.org, vdanen@redhat.com Content-Length: 3721 On Thu Feb 23 11:51:58 2012, levon@movementarian.org wrote:
> On Thu, Feb 23, 2012 at 12:40:23PM +0100, Jiri Popelka wrote:
>
> > On 02/22/2012 08:32 PM, Shawn Routhier wrote:
> > >Thank you for your report. We've looked it over and there does
> > >seem to be a problem in the timer code. We're trying to figure
> > >out how it got triggered and how serious it is. Currently we think
> > >it is most likely a configuration issue and so wouldn't be a good
> > >DOS vector.
> > >
> > Yes, nor I've thought it's a security problem since I managed to
> > reproduce it.
>
> What kind of configuration issue? Is there something "wrong" in my
> dhcpd.conf?

Our current theory is that using "infinite" as the lease time is causing
problems as the value gets passed around and eventually gets to
the timer code (when compiled and using a 64 bit OS).  Other numbers
of the appropriate size wold also be an issue.

If so then this would mean that an outside attacker
wouldn't be able to damage the server.

>
> > >While we look into this we were hoping you might be able to
> > >do some tests and gather some information as well.
> > >
> > >Do you know if John tried this with other versions of the code?
> > >Specifically any of the 4.1x versions?
> > >
> > I'll ask but I don't think so as we haven't 4.1 in any supported Fedora
> > version and
> > he wrote that ha was using dnsmasq as a workaround.
> > But I tried to reproduce it with dhcp-4.1.1-P1 and it seems OK
> > (well, it should be as the problematic code was added in 4.2.0).
>
> No, the last working version I tried was whatever was in Fedora 15.
>
> > >In the pcap you sent us the client is receiving a lease time value of
> > >80000, but I don't see anything in the configuration file that would
> > >lead to that value. Does that value ring any bells for you or John
> > >(perhaps an older config file? or something leftover from the client?)
> > >
> > Yes, I had noted that too but forgot to ask John. I'll do that.
>
> I'd experimented with other lease times, so at the time I was using:
>
> default-lease-time 80000;
> max-lease-time 80000;
>
> The bug was still present.

That's curious, I wouldn't expect that to trigger a timer with
a value greater than 4G.

>
> > >While I wouldn't expect it to show much it would be interesting to get
> > >a copy of the lease file to see what the server was trying to record at
> > >the time of failure.
> > I'm attaching mine and will ask John for his.
>
> I'll have to get back to you if you still need it.

What would be best, given your information about the 80000
value would be to try and get a complete set of information from
one example - the config file, the lease file and the error messages
we may eventually want to look at a core dump but I don't
currently have a place to read it so getting it isn't a priority.

>
> regards
> john
>