3 files changed, 162 insertions, 0 deletions
diff --git a/meta-networking/recipes-connectivity/dhcp/dhcp-relay_4.4.3.bb b/meta-networking/recipes-connectivity/dhcp/dhcp-relay_4.4.3.bb
index 92c648708e..499b035040 100644
--- a/meta-networking/recipes-connectivity/dhcp/dhcp-relay_4.4.3.bb
+++ b/meta-networking/recipes-connectivity/dhcp/dhcp-relay_4.4.3.bb
@@ -17,6 +17,8 @@ SRC_URI = "https://downloads.isc.org/isc/dhcp/${PV}/dhcp-${PV}.tar.gz \
           file://0001-Makefile.am-only-build-dhcrelay.patch \
           file://0002-bind-Makefile.in-disable-backtrace.patch \
           file://0003-bind-Makefile.in-regenerate-configure.patch \
+           file://CVE-2022-2928.patch \
+           file://CVE-2022-2929.patch \
           "
 SRC_URI[sha256sum] = "0e3ec6b4c2a05ec0148874bcd999a66d05518378d77421f607fb0bc9d0135818"
diff --git a/meta-networking/recipes-connectivity/dhcp/files/CVE-2022-2928.patch b/meta-networking/recipes-connectivity/dhcp/files/CVE-2022-2928.patch
new file mode 100644
index 0000000000..247e8dec68
--- /dev/null
+++ b/meta-networking/recipes-connectivity/dhcp/files/CVE-2022-2928.patch
@@ -0,0 +1,120 @@
+From 2e08d138ff852820a6e87a09088d2dc2cdd15e56 Mon Sep 17 00:00:00 2001
+From: Hitendra Prajapati <hprajapati@mvista.com>
+Date: Mon, 10 Oct 2022 09:57:15 +0530
+Subject: [PATCH 1/2] CVE-2022-2928
+Upstream-Status: Backport [https://downloads.isc.org/isc/dhcp/4.4.3-P1/patches/]
+CVE: CVE-2022-2928
+Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
+---
+ common/options.c               |  7 +++++
+ common/tests/option_unittest.c | 54 ++++++++++++++++++++++++++++++++++
+ 2 files changed, 61 insertions(+)
+diff --git a/common/options.c b/common/options.c
+index 92c8fee..f0959cb 100644
+--- a/common/options.c
+++ b/common/options.c
+@@ -4452,6 +4452,8 @@ add_option(struct option_state *options,
+        if (!option_cache_allocate(&oc, MDL)) {
+                log_error("No memory for option cache adding %s (option %d).",
+                          option->name, option_num);
+               /* Get rid of reference created during hash lookup. */
+               option_dereference(&option, MDL);
+                return 0;
+        }
+ 
+@@ -4463,6 +4465,8 @@ add_option(struct option_state *options,
+                             MDL)) {
+                log_error("No memory for constant data adding %s (option %d).",
+                          option->name, option_num);
+               /* Get rid of reference created during hash lookup. */
+               option_dereference(&option, MDL);
+                option_cache_dereference(&oc, MDL);
+                return 0;
+        }
+@@ -4471,6 +4475,9 @@ add_option(struct option_state *options,
+        save_option(&dhcp_universe, options, oc);
+        option_cache_dereference(&oc, MDL);
+ 
+       /* Get rid of reference created during hash lookup. */
+       option_dereference(&option, MDL);
+
+        return 1;
+ }
+ 
+diff --git a/common/tests/option_unittest.c b/common/tests/option_unittest.c
+index 600ebe6..963b566 100644
+--- a/common/tests/option_unittest.c
+++ b/common/tests/option_unittest.c
+@@ -213,6 +213,59 @@ ATF_TC_BODY(parse_X, tc)
+     }
+ }
+ 
+ATF_TC(add_option_ref_cnt);
+
+ATF_TC_HEAD(add_option_ref_cnt, tc)
+{
+    atf_tc_set_md_var(tc, "descr",
+        "Verify add_option() does not leak option ref counts.");
+}
+
+ATF_TC_BODY(add_option_ref_cnt, tc)
+{
+    struct option_state *options = NULL;
+    struct option *option = NULL;
+    unsigned int cid_code = DHO_DHCP_CLIENT_IDENTIFIER;
+    char *cid_str = "1234";
+    int refcnt_before = 0;
+
+    // Look up the option we're going to add.
+    initialize_common_option_spaces();
+    if (!option_code_hash_lookup(&option, dhcp_universe.code_hash,
+                                 &cid_code, 0, MDL)) {
+        atf_tc_fail("cannot find option definition?");
+    }
+
+    // Get the option's reference count before we call add_options.
+    refcnt_before = option->refcnt;
+
+    // Allocate a option_state to which to add an option.
+    if (!option_state_allocate(&options, MDL)) {
+           atf_tc_fail("cannot allocat options state");
+    }
+
+    // Call add_option() to add the option to the option state.
+    if (!add_option(options, cid_code, cid_str, strlen(cid_str))) {
+           atf_tc_fail("add_option returned 0");
+    }
+
+    // Verify that calling add_option() only adds 1 to the option ref count.
+    if (option->refcnt != (refcnt_before + 1)) {
+        atf_tc_fail("after add_option(), count is wrong, before %d, after: %d",
+                    refcnt_before, option->refcnt);
+    }
+
+    // Derefrence the option_state, this should reduce the ref count to
+    // it's starting value.
+    option_state_dereference(&options, MDL);
+
+    // Verify that dereferencing option_state restores option ref count.
+    if (option->refcnt != refcnt_before) {
+        atf_tc_fail("after state deref, count is wrong, before %d, after: %d",
+                    refcnt_before, option->refcnt);
+    }
+}
+
+ /* This macro defines main() method that will call specified
+    test cases. tp and simple_test_case names can be whatever you want
+    as long as it is a valid variable identifier. */
+@@ -221,6 +274,7 @@ ATF_TP_ADD_TCS(tp)
+     ATF_TP_ADD_TC(tp, option_refcnt);
+     ATF_TP_ADD_TC(tp, pretty_print_option);
+     ATF_TP_ADD_TC(tp, parse_X);
+    ATF_TP_ADD_TC(tp, add_option_ref_cnt);
+ 
+     return (atf_no_error());
+ }
+-- 
+2.25.1
diff --git a/meta-networking/recipes-connectivity/dhcp/files/CVE-2022-2929.patch b/meta-networking/recipes-connectivity/dhcp/files/CVE-2022-2929.patch
new file mode 100644
index 0000000000..faaac4868c
--- /dev/null
+++ b/meta-networking/recipes-connectivity/dhcp/files/CVE-2022-2929.patch
@@ -0,0 +1,40 @@
+From 5436cafe1d7df409a44ff5f610248db57f0677ee Mon Sep 17 00:00:00 2001
+From: Hitendra Prajapati <hprajapati@mvista.com>
+Date: Mon, 10 Oct 2022 09:58:04 +0530
+Subject: [PATCH 2/2] CVE-2022-2929
+Upstream-Status: Backport [https://downloads.isc.org/isc/dhcp/4.4.3-P1/patches/]
+CVE: CVE-2022-2929
+Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
+---
+ common/options.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+diff --git a/common/options.c b/common/options.c
+index f0959cb..25450e1 100644
+--- a/common/options.c
+++ b/common/options.c
+@@ -454,16 +454,16 @@ int fqdn_universe_decode (struct option_state *options,
+                while (s < &bp -> data[0] + length + 2) {
+                        len = *s;
+                        if (len > 63) {
+-                               log_info ("fancy bits in fqdn option");
+-                               return 0;
+                               log_info ("label length exceeds 63 in fqdn option");
+                               goto bad;
+                        }
+                        if (len == 0) {
+                                terminated = 1;
+                                break;
+                        }
+                        if (s + len > &bp -> data [0] + length + 3) {
+-                               log_info ("fqdn tag longer than buffer");
+-                               return 0;
+                               log_info ("fqdn label longer than buffer");
+                               goto bad;
+                        }
+ 
+                        if (first_len == 0) {
+-- 
+2.25.1

diff --git a/meta-networking/recipes-connectivity/dhcp/dhcp-relay_4.4.3.bb b/meta-networking/recipes-connectivity/dhcp/dhcp-relay_4.4.3.bb index 92c648708e..499b035040 100644 --- a/meta-networking/recipes-connectivity/dhcp/dhcp-relay_4.4.3.bb +++ b/meta-networking/recipes-connectivity/dhcp/dhcp-relay_4.4.3.bb
@@ -17,6 +17,8 @@ SRC_URI = "https://downloads.isc.org/isc/dhcp/${PV}/dhcp-${PV}.tar.gz \
17	file://0001-Makefile.am-only-build-dhcrelay.patch \	17	file://0001-Makefile.am-only-build-dhcrelay.patch \
18	file://0002-bind-Makefile.in-disable-backtrace.patch \	18	file://0002-bind-Makefile.in-disable-backtrace.patch \
19	file://0003-bind-Makefile.in-regenerate-configure.patch \	19	file://0003-bind-Makefile.in-regenerate-configure.patch \
		20	file://CVE-2022-2928.patch \
		21	file://CVE-2022-2929.patch \
20	"	22	"
21		23
22	SRC_URI[sha256sum] = "0e3ec6b4c2a05ec0148874bcd999a66d05518378d77421f607fb0bc9d0135818"	24	SRC_URI[sha256sum] = "0e3ec6b4c2a05ec0148874bcd999a66d05518378d77421f607fb0bc9d0135818"


diff --git a/meta-networking/recipes-connectivity/dhcp/files/CVE-2022-2928.patch b/meta-networking/recipes-connectivity/dhcp/files/CVE-2022-2928.patch new file mode 100644 index 0000000000..247e8dec68 --- /dev/null +++ b/meta-networking/recipes-connectivity/dhcp/files/CVE-2022-2928.patch
@@ -0,0 +1,120 @@
		1	From 2e08d138ff852820a6e87a09088d2dc2cdd15e56 Mon Sep 17 00:00:00 2001
		2	From: Hitendra Prajapati <hprajapati@mvista.com>
		3	Date: Mon, 10 Oct 2022 09:57:15 +0530
		4	Subject: [PATCH 1/2] CVE-2022-2928
		5
		6	Upstream-Status: Backport [https://downloads.isc.org/isc/dhcp/4.4.3-P1/patches/]
		7	CVE: CVE-2022-2928
		8	Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
		9	---
		10	common/options.c \| 7 +++++
		11	common/tests/option_unittest.c \| 54 ++++++++++++++++++++++++++++++++++
		12	2 files changed, 61 insertions(+)
		13
		14	diff --git a/common/options.c b/common/options.c
		15	index 92c8fee..f0959cb 100644
		16	--- a/common/options.c
		17	+++ b/common/options.c
		18	@@ -4452,6 +4452,8 @@ add_option(struct option_state *options,
		19	if (!option_cache_allocate(&oc, MDL)) {
		20	log_error("No memory for option cache adding %s (option %d).",
		21	option->name, option_num);
		22	+ /* Get rid of reference created during hash lookup. */
		23	+ option_dereference(&option, MDL);
		24	return 0;
		25	}
		26
		27	@@ -4463,6 +4465,8 @@ add_option(struct option_state *options,
		28	MDL)) {
		29	log_error("No memory for constant data adding %s (option %d).",
		30	option->name, option_num);
		31	+ /* Get rid of reference created during hash lookup. */
		32	+ option_dereference(&option, MDL);
		33	option_cache_dereference(&oc, MDL);
		34	return 0;
		35	}
		36	@@ -4471,6 +4475,9 @@ add_option(struct option_state *options,
		37	save_option(&dhcp_universe, options, oc);
		38	option_cache_dereference(&oc, MDL);
		39
		40	+ /* Get rid of reference created during hash lookup. */
		41	+ option_dereference(&option, MDL);
		42	+
		43	return 1;
		44	}
		45
		46	diff --git a/common/tests/option_unittest.c b/common/tests/option_unittest.c
		47	index 600ebe6..963b566 100644
		48	--- a/common/tests/option_unittest.c
		49	+++ b/common/tests/option_unittest.c
		50	@@ -213,6 +213,59 @@ ATF_TC_BODY(parse_X, tc)
		51	}
		52	}
		53
		54	+ATF_TC(add_option_ref_cnt);
		55	+
		56	+ATF_TC_HEAD(add_option_ref_cnt, tc)
		57	+{
		58	+ atf_tc_set_md_var(tc, "descr",
		59	+ "Verify add_option() does not leak option ref counts.");
		60	+}
		61	+
		62	+ATF_TC_BODY(add_option_ref_cnt, tc)
		63	+{
		64	+ struct option_state *options = NULL;
		65	+ struct option *option = NULL;
		66	+ unsigned int cid_code = DHO_DHCP_CLIENT_IDENTIFIER;
		67	+ char *cid_str = "1234";
		68	+ int refcnt_before = 0;
		69	+
		70	+ // Look up the option we're going to add.
		71	+ initialize_common_option_spaces();
		72	+ if (!option_code_hash_lookup(&option, dhcp_universe.code_hash,
		73	+ &cid_code, 0, MDL)) {
		74	+ atf_tc_fail("cannot find option definition?");
		75	+ }
		76	+
		77	+ // Get the option's reference count before we call add_options.
		78	+ refcnt_before = option->refcnt;
		79	+
		80	+ // Allocate a option_state to which to add an option.
		81	+ if (!option_state_allocate(&options, MDL)) {
		82	+ atf_tc_fail("cannot allocat options state");
		83	+ }
		84	+
		85	+ // Call add_option() to add the option to the option state.
		86	+ if (!add_option(options, cid_code, cid_str, strlen(cid_str))) {
		87	+ atf_tc_fail("add_option returned 0");
		88	+ }
		89	+
		90	+ // Verify that calling add_option() only adds 1 to the option ref count.
		91	+ if (option->refcnt != (refcnt_before + 1)) {
		92	+ atf_tc_fail("after add_option(), count is wrong, before %d, after: %d",
		93	+ refcnt_before, option->refcnt);
		94	+ }
		95	+
		96	+ // Derefrence the option_state, this should reduce the ref count to
		97	+ // it's starting value.
		98	+ option_state_dereference(&options, MDL);
		99	+
		100	+ // Verify that dereferencing option_state restores option ref count.
		101	+ if (option->refcnt != refcnt_before) {
		102	+ atf_tc_fail("after state deref, count is wrong, before %d, after: %d",
		103	+ refcnt_before, option->refcnt);
		104	+ }
		105	+}
		106	+
		107	/* This macro defines main() method that will call specified
		108	test cases. tp and simple_test_case names can be whatever you want
		109	as long as it is a valid variable identifier. */
		110	@@ -221,6 +274,7 @@ ATF_TP_ADD_TCS(tp)
		111	ATF_TP_ADD_TC(tp, option_refcnt);
		112	ATF_TP_ADD_TC(tp, pretty_print_option);
		113	ATF_TP_ADD_TC(tp, parse_X);
		114	+ ATF_TP_ADD_TC(tp, add_option_ref_cnt);
		115
		116	return (atf_no_error());
		117	}
		118	--
		119	2.25.1
		120


diff --git a/meta-networking/recipes-connectivity/dhcp/files/CVE-2022-2929.patch b/meta-networking/recipes-connectivity/dhcp/files/CVE-2022-2929.patch new file mode 100644 index 0000000000..faaac4868c --- /dev/null +++ b/meta-networking/recipes-connectivity/dhcp/files/CVE-2022-2929.patch
@@ -0,0 +1,40 @@
		1	From 5436cafe1d7df409a44ff5f610248db57f0677ee Mon Sep 17 00:00:00 2001
		2	From: Hitendra Prajapati <hprajapati@mvista.com>
		3	Date: Mon, 10 Oct 2022 09:58:04 +0530
		4	Subject: [PATCH 2/2] CVE-2022-2929
		5
		6	Upstream-Status: Backport [https://downloads.isc.org/isc/dhcp/4.4.3-P1/patches/]
		7	CVE: CVE-2022-2929
		8	Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
		9	---
		10	common/options.c \| 8 ++++----
		11	1 file changed, 4 insertions(+), 4 deletions(-)
		12
		13	diff --git a/common/options.c b/common/options.c
		14	index f0959cb..25450e1 100644
		15	--- a/common/options.c
		16	+++ b/common/options.c
		17	@@ -454,16 +454,16 @@ int fqdn_universe_decode (struct option_state *options,
		18	while (s < &bp -> data[0] + length + 2) {
		19	len = *s;
		20	if (len > 63) {
		21	- log_info ("fancy bits in fqdn option");
		22	- return 0;
		23	+ log_info ("label length exceeds 63 in fqdn option");
		24	+ goto bad;
		25	}
		26	if (len == 0) {
		27	terminated = 1;
		28	break;
		29	}
		30	if (s + len > &bp -> data [0] + length + 3) {
		31	- log_info ("fqdn tag longer than buffer");
		32	- return 0;
		33	+ log_info ("fqdn label longer than buffer");
		34	+ goto bad;
		35	}
		36
		37	if (first_len == 0) {
		38	--
		39	2.25.1
		40