Bug #43258 for dhcp-public: dhclient NSUPDATE feature may bind to reserved application ports

Fri, 23 Sep 2016 13:35:46 -0400 Michael Overcash (overcam) <overcam@cisco.com> - Ticket created

Subject:	dhclient NSUPDATE feature may bind to reserved application ports
Date:	Fri, 23 Sep 2016 17:35:35 +0000
To:	"dhcp-bugs@isc.org" <dhcp-bugs@isc.org>
From:	"Michael Overcash (overcam)" <overcam@cisco.com>

We were investigating a bug where a reserved UDP server port could not be opened in rare cases by the application. We determined that in the failure case, the dhclient process was holding the application's port udp/13820, preventing legitimate use by the intended application. See netstat excerpt below:

udp 0 0 0.0.0.0:68 0.0.0.0:* 0 8142 6362/dhclient

udp 200192 0 0.0.0.0:13820 0.0.0.0:* 0 8123 6362/dhclient

Our investigation determined that this port was opened because of the NSUPDATE feature using the following call sequence:

output/out/work/mipsel-*/dhcp-4.3.2/client/dhclient.c:152 function main

output/out/work/mipsel-*/dhcp-4.3.2/omapip/isclib.c:235 function dhcp_context_create
dns_client_createx2
getudpdispatch
dns_dispatch_getudp
dns_dispatch_getudp_dup
dispatch_createudp
get_udpsocket

The get_udpsocket employs logic that attempts 1024 times to find a random unused port. In the failure case, it is selecting a port required for our application. See here: http://users.isc.org/~each/doxygen/bind9/dispatch_8c-source.html#l02865

It is unclear to me why get_udpsocket doesn't just use the Linux port number selection in the first place. However, if get_udpsocket needs to select its own local port number, then it should adhere to the ephemeral (temporary) port range specified in /proc/sys/net/ipv4/ip_local_port_range to avoid these kinds of conflicts.

Thanks,

--

Michael Overcash

Principal Engineer, Cisco SPVSS

Mon, 26 Sep 2016 09:20:22 -0400 Stephen Morris <stephen@isc.org> - Priority P2 Normal added

Mon, 26 Sep 2016 09:20:22 -0400 Stephen Morris <stephen@isc.org> - Severity S2 Normal added

Mon, 26 Sep 2016 09:20:22 -0400 Stephen Morris <stephen@isc.org> - Area bug added

Mon, 26 Sep 2016 09:20:23 -0400 Stephen Morris <stephen@isc.org> - Component DHCP Client added

Thu, 03 Aug 2017 08:08:13 -0400 Cathy Almond <cathya@isc.org> - Priority P2 Normal changed to P3 Low

Thu, 03 Aug 2017 08:08:13 -0400 Cathy Almond <cathya@isc.org> - Versions Planned 4.4.0 added

Mon, 02 Oct 2017 11:17:06 -0400 Thomas Markwalder <tmark@isc.org> - Correspondence added

Hello Michael: The section of code you reported actually comes from within the BIND9 libraries. The code in question was subsequently changed in BIND9 9.11 and no longer uses get_udpsocket(). Our next feature release, ISC DHCP 4.4.0 is due out early Q1 of 2018 and will ship with BIND9 9.12 libraries, thus eliminating your issue. Thank you for bringing this issue to our attention. Regards, Thomas Markwalder ISC Software Engineering

Mon, 02 Oct 2017 11:17:07 -0400 The RT System itself - Status changed from 'new' to 'open'

Mon, 02 Oct 2017 11:17:45 -0400 Thomas Markwalder <tmark@isc.org> - Version Fixed 4.4.0 added

Mon, 02 Oct 2017 11:17:45 -0400 Thomas Markwalder <tmark@isc.org> - Status changed from 'open' to 'resolved'

Mon, 02 Oct 2017 11:17:45 -0400 Thomas Markwalder <tmark@isc.org> - Queue changed from #8 to dhcp-public

Created:	Fri, 23 Sep 2016 13:35:46 -0400
Updated:	Mon, 02 Oct 2017 11:17:45 -0400
Closed:	Mon, 02 Oct 2017 11:17:45 -0400

Bug #43258 for dhcp-public: dhclient NSUPDATE feature may bind to reserved application ports

This bug tracker is no longer active.