Bug#690889: udhcpc always returns a domain of "bad" when receiving a valid dhcp ack packet

To: 690889@bugs.debian.org
Cc: Dave Rawks <dave@pandora.com>
Subject: Bug#690889: udhcpc always returns a domain of "bad" when receiving a valid dhcp ack packet
From: Michael Tokarev <mjt@tls.msk.ru>
Date: Fri, 19 Oct 2012 23:20:03 +0400
Message-id: <[🔎] 5081A7E3.3060909@msgid.tls.msk.ru>
Reply-to: Michael Tokarev <mjt@tls.msk.ru>, 690889@bugs.debian.org
In-reply-to: <[🔎] 5080FBA5.4000701@msgid.tls.msk.ru>
References: <[🔎] 20121018204957.19267.42867.reportbug@systest-2.savagebeast.com> <[🔎] 5080FBA5.4000701@msgid.tls.msk.ru>

On 19.10.2012 11:05, Michael Tokarev wrote:
> On 19.10.2012 00:49, Dave Rawks wrote:
>> Package: udhcpc
>> Version: :1.20.0-7
>> Severity: normal
>> Tags: d-i
>>
>> udhcpc always returns a domain of "bad" when receiving a valid dhcp ack
>> from an upstream dhcp server. To reproduce first create a shellscript to
>> dump all of the variables set by udhcpc uppon successful receipt of a lease:
> 
>> I've tcpdumped both the client and server side of the dhcp exchange and
>> wireshark decodes the full ack packet as a valid dhcp/bootp ack AND includes
>> the correct domainname as configured to be sent on the server.
> 
> Please tell us WHICH domain name is treated as "bad".
>
> You're hitting this fix for CVE-2011-0997:

The new function to verify name validity introduced to fix CVE-2011-0997
disallows names with trailing dots.  So any domain name ending in a dot
is rejected and is substituted with "bad" as subject says.

This is questionable - both the usage of names with trailing dot in this
context (it is not entirely DNS anymore, where trailing dot is obviously
allowed and perfectly valid), and rejecting of such names.

On one hand, we should not use such name (with trailing dot) without stripping
the dot first, since, I guess, other components of the system (or installer)
may break not expecting this trailing dot.  Currently, udhcpc does not do
this.

On another hand, modifying options does not sound good.

The comment in the change says:

+/* We don't need to be particularly anal. For example, allowing _, hyphen
+ * at the end, or leading and trailing dots would be ok, since it
+ * can't be used for attacks. [...]

but actually it does NOT allow neither leading nor trailing dots.
I disagree, to me neither of these is good since it can lead to,
at least, surprizes, -- in other software which is not expected
to see these dots.  And this is exactly what this issue is about:
CVE-2011-0997 says about surprizes when malicious DHCP server is
sending not entirely correct replies.

I'd say, for now at least, -- fix your DHCP once and for all and
be done with this issue.

Thanks,

/mjt

> http://git.busybox.net/busybox/commit/?id=7280d2017d8075267a12e469983e38277dcf0374
> "udhcpc: sanitize hostnames in incoming packets. Closes 3979."
> https://bugs.busybox.net/show_bug.cgi?id=3979
> https://bugzilla.redhat.com/show_bug.cgi?id=689832
> 
>> Testing with isc-dhcp-client also yields a successful lease with the correct
>> domain name set.
> 
> So the fix in busybox is different than implementd in isc-dhcp.

Reply to:

Follow-Ups:
- Bug#690889: udhcpc always returns a domain of "bad" when receiving a valid dhcp ack packet
  - From: Dave Rawks <dave@pandora.com>

References:
- Bug#690889: udhcpc always returns a domain of "bad" when receiving a valid dhcp ack packet
  - From: Dave Rawks <dave@pandora.com>
- Bug#690889: udhcpc always returns a domain of "bad" when receiving a valid dhcp ack packet
  - From: Michael Tokarev <mjt@tls.msk.ru>

Prev by Date: Bug#690978: debian-installer: d-i unable to find disk storage on Hyper-V
Next by Date: Bug#690944: marked as done (installation-reports: succesfull installation report)
Previous by thread: Bug#690889: udhcpc always returns a domain of "bad" when receiving a valid dhcp ack packet
Next by thread: Bug#690889: udhcpc always returns a domain of "bad" when receiving a valid dhcp ack packet
Index(es):
- Date
- Thread