From cc9c02cced7043ba8920a82e335bdf2af32a404d Mon Sep 17 00:00:00 2001
From: Jiri Popelka <jpopelka@redhat.com>
Date: Aug 11 2011 07:31:12 +0000
Subject: CVE-2011-2748, CVE-2011-2749, #729850


---

diff --git a/dhcp-4.2.1-P1-CVE-2011-2748-2749.patch b/dhcp-4.2.1-P1-CVE-2011-2748-2749.patch
new file mode 100644
index 0000000..7d2250f
--- /dev/null
+++ b/dhcp-4.2.1-P1-CVE-2011-2748-2749.patch
@@ -0,0 +1,59 @@
+diff -up dhcp-4.2.1-P1/common/discover.c.CVE-2011-2748-2749 dhcp-4.2.1-P1/common/discover.c
+--- dhcp-4.2.1-P1/common/discover.c.CVE-2011-2748-2749	2011-08-11 09:25:01.000000000 +0200
++++ dhcp-4.2.1-P1/common/discover.c	2011-08-11 09:28:14.318406808 +0200
+@@ -1389,12 +1389,16 @@ isc_result_t got_one (h)
+ 	if (result == 0)
+ 		return ISC_R_UNEXPECTED;
+ 
+-	/* If we didn't at least get the fixed portion of the BOOTP
+-	   packet, drop the packet.  We're allowing packets with no
+-	   sname or filename, because we're aware of at least one
+-	   client that sends such packets, but this definitely falls
+-	   into the category of being forgiving. */
+-	if (result < DHCP_FIXED_NON_UDP - DHCP_SNAME_LEN - DHCP_FILE_LEN)
++	/*
++	 * If we didn't at least get the fixed portion of the BOOTP
++	 * packet, drop the packet.
++	 * Previously we allowed packets with no sname or filename
++	 * as we were aware of at least one client that did.  But
++	 * a bug caused short packets to not work and nobody has
++	 * complained, it seems rational to tighten up that
++	 * restriction.
++	 */
++	if (result < DHCP_FIXED_NON_UDP)
+ 		return ISC_R_UNEXPECTED;
+ 
+ 	if (bootp_packet_handler) {
+diff -up dhcp-4.2.1-P1/common/options.c.CVE-2011-2748-2749 dhcp-4.2.1-P1/common/options.c
+--- dhcp-4.2.1-P1/common/options.c.CVE-2011-2748-2749	2011-08-11 09:25:01.266574346 +0200
++++ dhcp-4.2.1-P1/common/options.c	2011-08-11 09:25:01.312573904 +0200
+@@ -592,8 +592,8 @@ cons_options(struct packet *inpacket, st
+ 	} else if (bootpp) {
+ 		mb_size = 64;
+ 		if (inpacket != NULL &&
+-		    (inpacket->packet_length - DHCP_FIXED_LEN >= 64))
+-			mb_size = inpacket->packet_length - DHCP_FIXED_LEN;
++		    (inpacket->packet_length >= 64 + DHCP_FIXED_NON_UDP))
++			mb_size = inpacket->packet_length - DHCP_FIXED_NON_UDP;
+ 	} else
+ 		mb_size = DHCP_MIN_OPTION_LEN;
+ 
+diff -up dhcp-4.2.1-P1/server/dhcp.c.CVE-2011-2748-2749 dhcp-4.2.1-P1/server/dhcp.c
+--- dhcp-4.2.1-P1/server/dhcp.c.CVE-2011-2748-2749	2011-08-11 09:25:01.177575204 +0200
++++ dhcp-4.2.1-P1/server/dhcp.c	2011-08-11 09:25:01.314573885 +0200
+@@ -2336,6 +2336,7 @@ void ack_lease (packet, lease, offer, wh
+ 	 * giaddr.
+ 	 */
+ 	if (!packet->agent_options_stashed &&
++	    (packet->options != NULL) &&
+ 	    packet->options->universe_count > agent_universe.index &&
+ 	    packet->options->universes[agent_universe.index] != NULL) {
+ 	    oc = lookup_option (&server_universe, state -> options,
+@@ -4448,6 +4449,7 @@ maybe_return_agent_options(struct packet
+ 	 * by the user into the new state, not just give up.
+ 	 */
+ 	if (!packet->agent_options_stashed &&
++	    (packet->options != NULL) &&
+ 	    packet->options->universe_count > agent_universe.index &&
+ 	    packet->options->universes[agent_universe.index] != NULL &&
+ 	    (options->universe_count <= agent_universe.index ||
diff --git a/dhcp.spec b/dhcp.spec
index e60600f..980275e 100644
--- a/dhcp.spec
+++ b/dhcp.spec
@@ -16,7 +16,7 @@
 Summary:  Dynamic host configuration protocol software
 Name:     dhcp
 Version:  4.2.1
-Release:  9.%{patchver}%{?dist}
+Release:  10.%{patchver}%{?dist}
 # NEVER CHANGE THE EPOCH on this package.  The previous maintainer (prior to
 # dcantrell maintaining the package) made incorrect use of the epoch and
 # that's why it is at 12 now.  It should have never been used, but it was.
@@ -69,6 +69,7 @@ Patch29:  dhcp420-rh637017.patch
 Patch30:  dhcp420-sharedlib.patch
 Patch31:  dhcp-4.2.0-PPP.patch
 Patch32:  dhcp-4.2.1-P1-CVE-2011-0997.patch
+Patch33:  dhcp-4.2.1-P1-CVE-2011-2748-2749.patch
 
 BuildRequires: autoconf
 BuildRequires: automake
@@ -314,6 +315,10 @@ rm bind/bind.tar.gz
 # Better fix for CVE-2011-0997: making domain-name check more lenient (#694005)
 %patch32 -p1 -b .CVE-2011-0997
 
+# A pair of defects cause the server to halt upon processing certain packets
+# CVE-2011-2748, CVE-2011-2749, #729850
+%patch33 -p1 -b .CVE-2011-2748-2749
+
 # Copy in the Fedora/RHEL dhclient script
 %{__install} -p -m 0755 %{SOURCE4} client/scripts/linux
 %{__install} -p -m 0644 %{SOURCE5} .
@@ -650,6 +655,10 @@ fi
 %{_initddir}/dhcrelay
 
 %changelog
+* Thu Aug 11 2011 Jiri Popelka <jpopelka@redhat.com> - 12:4.2.1-10.P1
+- A pair of defects cause the server to halt upon processing certain packets
+  (CVE-2011-2748, CVE-2011-2749, #729850)
+
 * Tue May 17 2011 Jiri Popelka <jpopelka@redhat.com> - 12:4.2.1-9.P1
 - Fix typo in triggerun scriptlet (#705417)