Report information
The Basics
Id:
47554
Status:
open
Estimated:
8 hours (480 minutes)
Priority:
Low/Low
Queue:
dhcp-public
People
Owner:
Nobody in particular
Requestors:
Thomas Markwalder <tmark@isc.org>
Cc:
AdminCc:
BugTracker
Version Fixed:
(no value)
Version Found:
(no value)
Versions Affected:
(no value)
Versions Planned:
4.4.2 4.1-ESV-R17
Priority:
P2 Normal
Severity:
S2 Normal
CVSS Score:
(no value)
CVE ID:
(no value)
Component:
(no value)
Area:
feature
Attachments
12729.diff
Dates
Created:Mon, 30 Apr 2018 09:48:45 -0400
Updated:Wed, 23 May 2018 06:43:44 -0400
Closed:Not set

This bug tracker is no longer active.

Please go to our Gitlab to submit issues (both feature requests and bug reports) for active projects maintained by Internet Systems Consortium (ISC).

Due to security and confidentiality requirements, full access is limited to the primary maintainers.

History
  Mon, 30 Apr 2018 09:48:50 -0400 Thomas Markwalder <tmark@isc.org> - Ticket created
Date: Mon, 30 Apr 2018 13:48:44 +0000
From: tmark@isc.org
To: dhcp-public@isc.org
Subject: Server delegates previously owned prefix even though the client's network has changed

If a client releases a delegated prefix and then returns on another network and uses that prefix as a prefix hint, the server will still delegate the prefix. The server should be ensuring that the client is on the same network as it was when it originally owned the prefix. The attached patch adds a check to prefix_is_owned().
Subject: 12729.diff
12729.diff
diff --git a/server/dhcpv6.c b/server/dhcpv6.c index a7110f9..b385079 100644 --- a/server/dhcpv6.c +++ b/server/dhcpv6.c @@ -4747,9 +4747,17 @@ prefix_is_owned(struct reply_state *reply, struct iaddrcidrnet *pref) { for (i = 0 ; i < reply->old_ia->num_iasubopt ; i++) { struct iasubopt *tmp; + struct shared_network *candidate_shared; tmp = reply->old_ia->iasubopt[i]; + /* We can only use it if it comes from a pool within + * the client's network */ + candidate_shared = tmp->ipv6_pool->shared_network; + if (candidate_shared != reply->shared) { + continue; + } + if ((pref->bits == (int) tmp->plen) && (memcmp(pref->lo_addr.iabuf, &tmp->addr, 16) == 0)) { if (lease6_usable(tmp) == ISC_FALSE) {
Mon, 30 Apr 2018 09:50:24 -0400 Thomas Markwalder <tmark@isc.org> - Reference to https://support.isc.org/Ticket/Display.html?id=12729 added
Mon, 30 Apr 2018 09:51:33 -0400 Thomas Markwalder <tmark@isc.org> - FinalPriority changed from 'Low' to 'Low'
Mon, 30 Apr 2018 09:51:33 -0400 Thomas Markwalder <tmark@isc.org> - Priority changed from 'Low' to 'Low'
Mon, 30 Apr 2018 09:51:33 -0400 Thomas Markwalder <tmark@isc.org> - TimeEstimated changed from (no value) to '480'
  Tue, 08 May 2018 14:21:54 -0400 Cathy Almond <cathya@isc.org> - Correspondence added

Feedback received on visual inspection of the patch (but not from actual testing): "I haven't had a chance to try out the patch, though it looks like it should address the immediate issue. There does appear to be an inconsistency in some of the code that the patch continues. In some places it appears as if prefixes for PD can be defined globally while in others it appears as if globally scoped prefixes aren't handled. For an example of possible globally scoped prefixes see dhcpv6.c:find_client_prefix() There is a comment of: /* * Consider this prefix if it is in a global pool or * if it is scoped in a pool under the client's shared * network. */ The patch doesn't directly address the case that the prefix is in a global pool. Note that I have not had a chance to try using a global pool for prefixes so I don't know if that actually works or perhaps this comment is left over from previous versions of the code that did allow for global prefixes and that has now been restricted."
Tue, 08 May 2018 14:21:55 -0400 The RT System itself - Status changed from 'new' to 'open'
  Wed, 23 May 2018 06:43:43 -0400 Cathy Almond <cathya@isc.org> - Correspondence added

Further feedback (from 15th May): "We are still writing unit tests but have tested the patch by hand and haven't found any issues with it."