-
Notifications
You must be signed in to change notification settings - Fork 1.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Fix dhcp option buffer issue #12033
Fix dhcp option buffer issue #12033
Conversation
Signed-off-by: Gang Lv ganglv@microsoft.com
Possible to test in KVM? |
I have used kvm and sonic-mgmt to verify this issue. |
Please merge it together with sonic-mgmt PR. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
Add end2end test: |
Why I did it Current isc-dhcp uses below code to remove DHCP option: memmove(sp, op, op[1] + 2); sp += op[1] + 2; sp points to the option to be stripped, we can call it as option S. op points to the option after options S, we can call it as option O. DHCP option is a typical type-length-value structure, the first byte is type, the second byte is length, and remain parts are value. In this case, option O length is bigger than option S, and more than 2 bytes, after the memmove, we will get this result: Now Option S and Option O are overwritten, op[1] was the length of Option O, and it's modified after memmove. But current implementation is still using op[1] as length to update sp (sp+=op[1]+2), so we get the wrong sp. How I did it Create patch from https://github.com/isc-projects/dhcp The new impelementation use mlen to store the length of Option O before memmove, that's how it fixed the bug. size_t mlen = op[1] + 2; memmove(sp, op, mlen); sp += mlen; How to verify it I have a PR for sonic-mgmt to cover this issue: sonic-net/sonic-mgmt#6330 Signed-off-by: Gang Lv ganglv@microsoft.com
Why I did it Current isc-dhcp uses below code to remove DHCP option: memmove(sp, op, op[1] + 2); sp += op[1] + 2; sp points to the option to be stripped, we can call it as option S. op points to the option after options S, we can call it as option O. DHCP option is a typical type-length-value structure, the first byte is type, the second byte is length, and remain parts are value. In this case, option O length is bigger than option S, and more than 2 bytes, after the memmove, we will get this result: Now Option S and Option O are overwritten, op[1] was the length of Option O, and it's modified after memmove. But current implementation is still using op[1] as length to update sp (sp+=op[1]+2), so we get the wrong sp. How I did it Create patch from https://github.com/isc-projects/dhcp The new impelementation use mlen to store the length of Option O before memmove, that's how it fixed the bug. size_t mlen = op[1] + 2; memmove(sp, op, mlen); sp += mlen; How to verify it I have a PR for sonic-mgmt to cover this issue: sonic-net/sonic-mgmt#6330 Signed-off-by: Gang Lv ganglv@microsoft.com
Signed-off-by: Gang Lv ganglv@microsoft.com What is the motivation for this PR? dhcp relay has an option82 related pr, and we need to update e2e test to verify this issue: sonic-net/sonic-buildimage#12033 How did you do it? Update dhcp offer packet, add option82 and another option. After dhcp relay, option82 should be stripped. How did you verify/test it? I used kvm to verify this test case.
Signed-off-by: Gang Lv ganglv@microsoft.com What is the motivation for this PR? dhcp relay has an option82 related pr, and we need to update e2e test to verify this issue: sonic-net/sonic-buildimage#12033 How did you do it? Update dhcp offer packet, add option82 and another option. After dhcp relay, option82 should be stripped. How did you verify/test it? I used kvm to verify this test case.
Signed-off-by: Gang Lv ganglv@microsoft.com What is the motivation for this PR? dhcp relay has an option82 related pr, and we need to update e2e test to verify this issue: sonic-net/sonic-buildimage#12033 How did you do it? Update dhcp offer packet, add option82 and another option. After dhcp relay, option82 should be stripped. How did you verify/test it? I used kvm to verify this test case.
Why I did it Current isc-dhcp uses below code to remove DHCP option: memmove(sp, op, op[1] + 2); sp += op[1] + 2; sp points to the option to be stripped, we can call it as option S. op points to the option after options S, we can call it as option O. DHCP option is a typical type-length-value structure, the first byte is type, the second byte is length, and remain parts are value. In this case, option O length is bigger than option S, and more than 2 bytes, after the memmove, we will get this result: Now Option S and Option O are overwritten, op[1] was the length of Option O, and it's modified after memmove. But current implementation is still using op[1] as length to update sp (sp+=op[1]+2), so we get the wrong sp. How I did it Create patch from https://github.com/isc-projects/dhcp The new impelementation use mlen to store the length of Option O before memmove, that's how it fixed the bug. size_t mlen = op[1] + 2; memmove(sp, op, mlen); sp += mlen; How to verify it I have a PR for sonic-mgmt to cover this issue: sonic-net/sonic-mgmt#6330 Signed-off-by: Gang Lv ganglv@microsoft.com
Cherry-pick PR to 202111: #12385 |
Why I did it Current isc-dhcp uses below code to remove DHCP option: memmove(sp, op, op[1] + 2); sp += op[1] + 2; sp points to the option to be stripped, we can call it as option S. op points to the option after options S, we can call it as option O. DHCP option is a typical type-length-value structure, the first byte is type, the second byte is length, and remain parts are value. In this case, option O length is bigger than option S, and more than 2 bytes, after the memmove, we will get this result: Now Option S and Option O are overwritten, op[1] was the length of Option O, and it's modified after memmove. But current implementation is still using op[1] as length to update sp (sp+=op[1]+2), so we get the wrong sp. How I did it Create patch from https://github.com/isc-projects/dhcp The new impelementation use mlen to store the length of Option O before memmove, that's how it fixed the bug. size_t mlen = op[1] + 2; memmove(sp, op, mlen); sp += mlen; How to verify it I have a PR for sonic-mgmt to cover this issue: sonic-net/sonic-mgmt#6330 Signed-off-by: Gang Lv ganglv@microsoft.com Signed-off-by: Gang Lv ganglv@microsoft.com Co-authored-by: ganglv <88995770+ganglyu@users.noreply.github.com>
Signed-off-by: Gang Lv ganglv@microsoft.com What is the motivation for this PR? dhcp relay has an option82 related pr, and we need to update e2e test to verify this issue: sonic-net/sonic-buildimage#12033 How did you do it? Update dhcp offer packet, add option82 and another option. After dhcp relay, option82 should be stripped. How did you verify/test it? I used kvm to verify this test case.
Why I did it #12033 How I did it How to verify it
Signed-off-by: Gang Lv ganglv@microsoft.com What is the motivation for this PR? dhcp relay has an option82 related pr, and we need to update e2e test to verify this issue: sonic-net/sonic-buildimage#12033 How did you do it? Update dhcp offer packet, add option82 and another option. After dhcp relay, option82 should be stripped. How did you verify/test it? I used kvm to verify this test case.
What is the motivation for this PR? dhcp relay has an option82 related pr, and we need to update e2e test to verify this issue: sonic-net/sonic-buildimage#12033 How did you do it? Update dhcp offer packet, add option82 and another option. After dhcp relay, option82 should be stripped. How did you verify/test it? I used kvm to verify this test case.
Signed-off-by: Gang Lv ganglv@microsoft.com
Why I did it
Current isc-dhcp uses below code to remove DHCP option:
memmove(sp, op, op[1] + 2);
sp += op[1] + 2;
sp points to the option to be stripped, we can call it as option S.
op points to the option after options S, we can call it as option O.
DHCP option is a typical type-length-value structure, the first byte is type, the second byte is length, and remain parts are value.
In this case, option O length is bigger than option S, and more than 2 bytes, after the memmove, we will get this result:
Now Option S and Option O are overwritten, op[1] was the length of Option O, and it's modified after memmove.
But current implementation is still using op[1] as length to update sp (sp+=op[1]+2), so we get the wrong sp.
How I did it
Create patch from https://github.com/isc-projects/dhcp
The new impelementation use mlen to store the length of Option O before memmove, that's how it fixed the bug.
size_t mlen = op[1] + 2;
memmove(sp, op, mlen);
sp += mlen;
How to verify it
I have a PR for sonic-mgmt to cover this issue:
sonic-net/sonic-mgmt#6330
Which release branch to backport (provide reason below if selected)
Description for the changelog
Link to config_db schema for YANG module changes
A picture of a cute animal (not mandatory but encouraged)