[Bug 605558] [NEW] dhcp3-server segfaults on start with large dynamic lease ranges

Wed, 14 Jul 2010 12:10:43 -0700 

Public bug reported:

When an excessively large dynamic address range is specified in dhcpd.conf, 
dhcpd3 crashes due to a segmentation fault.
Sample dhcpd.conf that exposes this issue: (adding other options has no effect 
on the behavior)
>   subnet 10.0.0.0 netmask 255.0.0.0
>   {
>       range 10.0.0.2 10.255.255.254;
>   }

Expected behavior: Return an "Address range too large" or "Not enough memory" 
error to the user.
Actual behavior: Segmentation fault.

Kernel log:
> Jul 14 13:18:15 TestingBox kernel: [ 2423.369208] dhcpd3[2243]: 
> segfault at 7fbd274eb000 ip 00007fbd27fb12b9 sp 00007fff4fc45e38 error 7 in 
> libc-2.11.1.so[7fbd27f2b000+17a000]

Output from the shell:
> r...@testingbox:~# /etc/init.d/dhcp3-server start
> dhcpd self-test failed. Please fix the config file.
> The error was: 
> Internet Systems Consortium DHCP Server V3.1.3
> Copyright 2004-2009 Internet Systems Consortium.
> All rights reserved.
> For info, please visit https://www.isc.org/software/dhcp/
> Segmentation fault
> r...@testingbox:~# 

It seems highly unlikely this could be a security issue, unless it is a
symptom of a bigger problem. The only way to cause the crash is by
starting the server with a config as per above, and the dhcp3 binary
will not run unless the initiating user is root.

Version information:
> dhcp3-server:
>   Installed: 3.1.3-2ubuntu3
>   Candidate: 3.1.3-2ubuntu3
>   Version table:
>  *** 3.1.3-2ubuntu3 0
>         500 http://us.archive.ubuntu.com/ubuntu/ lucid/main Packages
>         100 /var/lib/dpkg/status

The host that this was tested on has 4 GB of RAM and no swap space allocated.
Platform: Linux TestingBox 2.6.32-23-generic #37-Ubuntu SMP Fri Jun 11 08:03:28 
UTC 2010 x86_64 GNU/Linux
Distributor ID: Ubuntu
Description: Ubuntu 10.04 LTS
Release: 10.04
Codename: lucid

** Affects: dhcp3 (Ubuntu)
     Importance: Undecided
         Status: New

-- 
dhcp3-server segfaults on start with large dynamic lease ranges
https://bugs.launchpad.net/bugs/605558
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

Reply via email to