From pzhukov@redhat.com  Thu May 25 08:33:42 2017
MIME-Version: 1.0
X-Spam-Status: No, score=-1.4 required=5.0 tests=BAYES_00,RCVD_IN_DNSWL_NONE, RCVD_IN_MSPIKE_H2,RCVD_IN_SORBS_SPAM autolearn=no autolearn_force=no version=3.4.0
content-type: text/plain; charset="utf-8"
Message-ID: <87wp958heo.fsf@pzhukov-workstation.usersys.redhat.com>
X-Received: by 10.223.141.244 with SMTP id o107mr26331980wrb.69.1495701216744; Thu, 25 May 2017 01:33:36 -0700 (PDT)
Received: from mx.pao1.isc.org (mx.pao1.isc.org [149.20.64.53]) by bugs.isc.org (Postfix) with ESMTP id 6B01271B5A8 for <dhcp-bugs@bugs.isc.org>; Thu, 25 May 2017 08:33:42 +0000 (UTC)
Received: from mail-wr0-f171.google.com (mail-wr0-f171.google.com [209.85.128.171]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mx.pao1.isc.org (Postfix) with ESMTPS id 40212349315 for <dhcp-bugs@isc.org>; Thu, 25 May 2017 08:33:39 +0000 (UTC)
Received: by mail-wr0-f171.google.com with SMTP id w50so68114855wrc.0 for <dhcp-bugs@isc.org>; Thu, 25 May 2017 01:33:38 -0700 (PDT)
Received: from pzhukov-workstation.usersys.redhat.com (nat-pool-brq-t.redhat.com. [213.175.37.10]) by smtp.gmail.com with ESMTPSA id m21sm5385119wma.30.2017.05.25.01.33.36 for <dhcp-bugs@isc.org> (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256); Thu, 25 May 2017 01:33:36 -0700 (PDT)
Delivered-To: dhcp-bugs@bugs.isc.org
Subject: [PATCH] ISC-BUGS #33377 dhclient: Don't listen on ddns port by  default.
Return-Path: <pzhukov@redhat.com>
X-Original-To: dhcp-bugs@bugs.isc.org
X-Google-Dkim-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:subject:date:message-id:mime-version; bh=23GaozSvcprTmVx/YbHg2SFYMSEevwnBswxP9Ce7Dd8=; b=h4vYuoWYjIxzmaUmM3/uQ5o6RE5ZDiU0rUHj+8vO+x5sSkLYeRgqCg6+45s1sKoBk5 9/VhMJDoJMWxKISEJ/Dkbl/MGnqoS5KdO2JpY12i2JIZebLrWe5ENan5oh8FjZJ5MZEF RuipJ+piqpfGLWrMbHb9qj2+dXW9OAEHBqh2bzg7REP6A3az0ID9uPnh2iJhFIA80jLo RqsoTjTuenRs6dY0cT8VZsi+1aHXfPKzyZtbazrRnkV2iRnyv4Ja6XNj2WW2v9t9zxmM wGS6h6w1xwsEVSnZOEISiaNKzilizdPybPAXZLXbIpUmZA4OACtr0zDRmKhpifX0/8CH Blsw==
Date: Thu, 25 May 2017 10:33:35 +0200
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on mx.pao1.isc.org
To: dhcp-bugs@isc.org
X-GM-Message-State: AODbwcC8RzP0KBfynN/EUI4nOKuyY7wmZYdjsGOOvsyxW/a7A/jU6ecE xE/r3+AusYsVyoAQccGZTQ==
From: "Pavel Zhukov" <pzhukov@redhat.com>
X-RT-Original-Encoding: ascii
X-RT-Interface: Email
Content-Length: 4875


dhclient listen on random port (in addition to port 68) by default
even if ddns is not used (but compiled in). For some users in secure
environments it's a problem. Changing the behaviour to open port only
before actually using it.

Bug-url: https://bugzilla.redhat.com/1299562
Bug-url: https://bugzilla.redhat.com/962950
Bug-url: https://bugzilla.redhat.com/1386624
---
 common/dns.c             | 43 +++++++++++++++++++++++++++++++++++++++++++
 includes/omapip/isclib.h |  2 ++
 omapip/isclib.c          | 38 ++++++++++----------------------------
 3 files changed, 55 insertions(+), 28 deletions(-)

diff --git a/common/dns.c b/common/dns.c
index 0f8be80..37878bc 100644
--- a/common/dns.c
+++ b/common/dns.c
@@ -2132,6 +2132,41 @@ void ddns_interlude(isc_task_t  *taskp,
 }
 
 /*
+ * Moved here from omapip/isclib.c, function dhcp_context_create.
+ * Create dnsclient only before the first use.
+ */
+static isc_result_t
+dns_client_lazy() {
+	isc_result_t result;
+	if (dhcp_gbl_ctx.dnsclient == NULL){
+		result = dns_client_createx2(dhcp_gbl_ctx.mctx,
+					     dhcp_gbl_ctx.actx,
+					     dhcp_gbl_ctx.taskmgr,
+					     dhcp_gbl_ctx.socketmgr,
+					     dhcp_gbl_ctx.timermgr,
+					     0,
+					     &dhcp_gbl_ctx.dnsclient,
+					     dhcp_gbl_ctx.local4_ptr,
+					     dhcp_gbl_ctx.local6_ptr);
+		if (result != ISC_R_SUCCESS)
+			return result;
+		/*
+		 * If we can't set up the servers we may not be able to
+		 * do DDNS but we should continue to try and perform
+		 * our basic functions and let the user sort it out.
+		 */
+		result = dhcp_dns_client_setservers();
+		if (result != ISC_R_SUCCESS) {
+			log_error("Unable to set resolver from resolv.conf; "
+				  "startup continuing but DDNS support "
+				  "may be affected");
+		}
+	};
+	return ISC_R_SUCCESS;
+}
+
+
+/*
  * This routine does the generic work for sending a ddns message to
  * modify the forward record (A or AAAA) and calls one of a set of
  * routines to build the specific message.
@@ -2154,6 +2189,10 @@ ddns_modify_fwd(dhcp_ddns_cb_t *ddns_cb, const char *file, int line)
 	/* Get a pointer to the clientname to make things easier. */
 	clientname = (unsigned char *)ddns_cb->fwd_name.data;
 
+	result = dns_client_lazy();
+	if (result != ISC_R_SUCCESS)
+		return result;
+
 	/* Extract and validate the type of the address. */
 	if (ddns_cb->address.len == 4) {
 		ddns_cb->address_type = dns_rdatatype_a;
@@ -2359,6 +2398,10 @@ ddns_modify_ptr(dhcp_ddns_cb_t *ddns_cb, const char *file, int line)
 	unsigned char buf[256];
 	int buflen;
 
+	result = dns_client_lazy();
+	if (result != ISC_R_SUCCESS)
+		return result;
+
 	/*
 	 * Try to lookup the zone in the zone cache.  As with the forward
 	 * case it's okay if we don't have one, the DNS code will try to
diff --git a/includes/omapip/isclib.h b/includes/omapip/isclib.h
index caa388a..7f2719b 100644
--- a/includes/omapip/isclib.h
+++ b/includes/omapip/isclib.h
@@ -98,6 +98,8 @@ typedef struct dhcp_context {
 	isc_timermgr_t	*timermgr;
 #if defined (NSUPDATE)
   	dns_client_t    *dnsclient;
+	isc_sockaddr_t  *local4_ptr;
+	isc_sockaddr_t  *local6_ptr;
 #endif
 } dhcp_context_t;
 
diff --git a/omapip/isclib.c b/omapip/isclib.c
index 781db84..9feee09 100644
--- a/omapip/isclib.c
+++ b/omapip/isclib.c
@@ -225,40 +225,22 @@ dhcp_context_create(int flags,
 	}
 
 #if defined (NSUPDATE)
+        /*
+        * Setting addresses only.
+        * All real work will be done later on if needed to avoid listening 
+        * on ddns port if client/server was compiled with ddns support 
+        * but not using it.
+        */
 	if ((flags & DHCP_CONTEXT_POST_DB) != 0) {
-		isc_sockaddr_t localaddr4, *localaddr4_ptr = NULL;
-		isc_sockaddr_t localaddr6, *localaddr6_ptr = NULL;
+		isc_sockaddr_t localaddr4;
+		isc_sockaddr_t localaddr6;
 		if (local4 != NULL) {
 			isc_sockaddr_fromin(&localaddr4, local4, 0);
-			localaddr4_ptr = &localaddr4;
+			dhcp_gbl_ctx.local4_ptr = &localaddr4;
 		}
 		if (local6 != NULL) {
 			isc_sockaddr_fromin6(&localaddr6, local6, 0);
-			localaddr6_ptr = &localaddr6;
-		}
-
-		result = dns_client_createx2(dhcp_gbl_ctx.mctx,
-					     dhcp_gbl_ctx.actx,
-					     dhcp_gbl_ctx.taskmgr,
-					     dhcp_gbl_ctx.socketmgr,
-					     dhcp_gbl_ctx.timermgr,
-					     0,
-					     &dhcp_gbl_ctx.dnsclient,
-					     localaddr4_ptr,
-					     localaddr6_ptr);
-		if (result != ISC_R_SUCCESS)
-			goto cleanup;
-
-		/*
-		 * If we can't set up the servers we may not be able to
-		 * do DDNS but we should continue to try and perform
-		 * our basic functions and let the user sort it out.
-		 */
-		result = dhcp_dns_client_setservers();
-		if (result != ISC_R_SUCCESS) {
-			log_error("Unable to set resolver from resolv.conf; "
-				  "startup continuing but DDNS support "
-				  "may be affected");
+			dhcp_gbl_ctx.local6_ptr = &localaddr6;
 		}
 	}
 #endif
-- 
2.9.3