[Bug 3979] udhcpc should filter out malicious hostnames passed in option 0x0c

bugzilla at busybox.net bugzilla at busybox.net
Wed Apr 16 15:33:38 UTC 2014


https://bugs.busybox.net/show_bug.cgi?id=3979

--- Comment #9 from Denys Vlasenko <vda.linux at googlemail.com> 2014-04-16 15:33:37 UTC ---
(In reply to comment #8)
> Hi,
> 
> Sorry to beat dead horse, but commit 7280d2017d8075267a12e469983e38277dcf0374
> effectively broke udhcpc, so now it refuse to work with multiple domains in
> "search" line, replacing all of them by single word "bad". 
> IMHO, you should not touch DOMAIN_NAME if it not contains really bad
> characters. As said earlier - it should not be such anal ;)
> 
> 
> Our environment has 5 different sites, and we populating resolv.conf by such
> DHCP settings:
> 
> option domain-name "siteX.sub.domain sub.domain domain";
> option domain-name-servers 10.2.1.1, 10.7.1.2, 10.21.1.2;
> 
> Such configuration is happily accepted by all Linux servers (and even Windows),
> leaving us with such stuff in /etc/resolv.conf:
> 
> search site1.sub.domain sub.domain domain
> nameserver 10.2.1.1
> nameserver 10.7.1.2
> nameserver 10.21.1.2

This is an abuse of "domain" option to contain a list of search domains
instead.

Despite it being accepted, this config is wrong: it says that your machine
belongs to
"siteX.sub.domain sub.domain domain" domain, which is obviously wrong.

Some systems put this string into /etc/resolv.conf's "domain" directive.
"man resolv.conf" says:

"""
       domain <Local domain name>
              Most queries for names within this domain can use short names
relative to the local domain.
"""

> But now it is not true for installers based on updated busybox - in my case it
> is Debian 7.2 x64:
> 
> search bad
> nameserver 10.2.1.1
> nameserver 10.7.1.2
> nameserver 10.21.1.2

> As possible workaround, I've got recommendations to use such DHCP config (and i
> was able to overcome that "bad" stuff):
> 
> option domain-name "siteX.sub.domain";
> option domain-search "sub.domain","domain";
> option domain-name-servers 10.2.1.1, 10.7.1.2, 10.21.1.2;

This looks correct: it uses correct option to pass list of search domains.

> But such config bring other bad things and incompatibilities:
> 
> ; generated by /sbin/dhclient-script
> search sub.domain. domain. 
> nameserver 10.2.1.1
> nameserver 10.7.1.2
> nameserver 10.21.1.2

Please attach your /sbin/dhclient-script and tcpdump capture of DHCP reply
packet which carries the data.

-- 
Configure bugmail: https://bugs.busybox.net/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.


More information about the busybox-cvs mailing list