[Bug 3979] udhcpc should filter out malicious hostnames passed in option 0x0c

bugzilla at busybox.net bugzilla at busybox.net
Fri Apr 18 18:50:02 UTC 2014


https://bugs.busybox.net/show_bug.cgi?id=3979

--- Comment #16 from Denys Vlasenko <vda.linux at googlemail.com> 2014-04-18 18:50:01 UTC ---
(In reply to comment #15)
> Such dhcpd config (irrelevant lines are skipped):
> 
> nis-domain "some"; 
> subnet-mask 255.255.0.0; 
> broadcast-address 172.*.255; 
> domain-name "siteX.sub.domain"; 
> domain-search
> "siteX.sub.domain","sub.domain","domain","other.sub.domain","other.domain";
> domain-name-servers 10.*,10.*,10.*,10.*; 
> ntp-servers 10.*; 
> routers 172.*;
> 
> Generates following leases on different OS:
> 
> from CentOS 6.x:
> 
> lease {
>   interface "eth0";
>   fixed-address 172.*;
>   filename "pxelinux.0";
>   option subnet-mask 255.255.0.0;
>   option routers 172.*;
>   option dhcp-lease-time 36000;
>   option dhcp-message-type 5;
>   option domain-name-servers 10.*,10.*,10.*,10.*;
>   option dhcp-server-identifier 10.*;
>   option domain-search "siteX.sub.domain.", "sub.domain.", "domain.",
> "other.sub.domain.", "other.domain.";

Seems to work here.
Trailing dot looks wrong, you may want to file a bug against this client
software.

> As you can see, 5.x stuff even not asking for domain-search stuff.

Yes, it probably doesn't support that.


> And, even we add following to dhcpd config, it still ignored all together in
> 5.x:
> 
> option domain-forced-list code 119 = string;
> domain-forced-list
> "siteX.sub.domain","sub.domain","domain","other.sub.domain","other.domain";

Option 119 is not a string option, it uses "\003foo\004blah\003com\000"
encoding (RFC 1035).

> So, following advices to use "right options", we hitting even more problems and incompatibilities in different OS.

Because many clients have bugs in handling more recently introduced options.
Such is life. Bugs needs to be filed in bugzillas to get them fixed.


> Can't provide you with tcpdump yet, but you already know what is there.

I do want tcpdump, because I in fact don't know what _exactly_ is there. For
example, trailing dot problem can exist in bbox's DHCP client, udhcpc, and in
order to test it, I want to see a real-world example of the packed, instead of
assuming what's there.

-- 
Configure bugmail: https://bugs.busybox.net/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.


More information about the busybox-cvs mailing list