Fix CVE-2022-2928 and CVE-2022-2929

backport-Fix-CVE-2022-2928.patch

@@ -0,0 +1,114 @@
+Conflict:NA
+Reference:https://downloads.isc.org/isc/dhcp/4.4.3-P1/patches/CVE-2022-2928.4-4-3.diff
+---
+ common/options.c               |  7 +++++
+ common/tests/option_unittest.c | 54 ++++++++++++++++++++++++++++++++++
+ 2 files changed, 61 insertions(+)
+
+diff --git a/common/options.c b/common/options.c
+index a53484e..40238f7 100644
+--- a/common/options.c
++++ b/common/options.c
+@@ -4499,6 +4499,8 @@ add_option(struct option_state *options,
+ 	if (!option_cache_allocate(&oc, MDL)) {
+ 		log_error("No memory for option cache adding %s (option %d).",
+ 			  option->name, option_num);
++		/* Get rid of reference created during hash lookup. */
++		option_dereference(&option, MDL);
+ 		return 0;
+ 	}
+ 
+@@ -4510,6 +4512,8 @@ add_option(struct option_state *options,
+ 			     MDL)) {
+ 		log_error("No memory for constant data adding %s (option %d).",
+ 			  option->name, option_num);
++		/* Get rid of reference created during hash lookup. */
++		option_dereference(&option, MDL);
+ 		option_cache_dereference(&oc, MDL);
+ 		return 0;
+ 	}
+@@ -4518,6 +4522,9 @@ add_option(struct option_state *options,
+ 	save_option(&dhcp_universe, options, oc);
+ 	option_cache_dereference(&oc, MDL);
+ 
++	/* Get rid of reference created during hash lookup. */
++	option_dereference(&option, MDL);
++
+ 	return 1;
+ }
+ 
+diff --git a/common/tests/option_unittest.c b/common/tests/option_unittest.c
+index 0bb6517..c35feee 100644
+--- a/common/tests/option_unittest.c
++++ b/common/tests/option_unittest.c
+@@ -199,6 +199,59 @@ ATF_TC_BODY(parse_code93_option, tc)
+     }
+ }
+ 
++ATF_TC(add_option_ref_cnt);
++
++ATF_TC_HEAD(add_option_ref_cnt, tc)
++{
++	atf_tc_set_md_var(tc, "descr",
++		"Verify add_option() does not leak option ref counts.");
++}
++
++ATF_TC_BODY(add_option_ref_cnt, tc)
++{
++	struct option_state *options = NULL;
++	struct option *option = NULL;
++	unsigned int cid_code = DHO_DHCP_CLIENT_IDENTIFIER;
++	char *cid_str = "1234";
++	int refcnt_before = 0;
++
++	// Look up the option we're going to add.
++	initialize_common_option_spaces();
++	if (!option_code_hash_lookup(&option, dhcp_universe.code_hash,
++				&cid_code, 0, MDL)) {
++		atf_tc_fail("cannot find option definition?");
++	}
++
++	// Get the option's reference count before we call add_options.
++	refcnt_before = option->refcnt;
++
++	// Allocate a option_state to which to add an option.
++	if (!option_state_allocate(&options, MDL)) {
++		atf_tc_fail("cannot allocat options state");
++	}
++
++	// Call add_option() to add the option to the option state.
++	if (!add_option(options, cid_code, cid_str, strlen(cid_str))) {
++		atf_tc_fail("add_option returned 0");
++	}
++
++	// Verify that calling add_option() only adds 1 to the option ref count.
++	if (option->refcnt != (refcnt_before + 1)) {
++		atf_tc_fail("after add_option(), count is wrong, before %d, after: %d",
++			    refcnt_before, option->refcnt);
++	}
++
++	// Derefrence the option_state, this should reduce the ref count to
++	// it's starting value.
++	option_state_dereference(&options, MDL);
++
++	// Verify that dereferencing option_state restores option ref count.
++	if (option->refcnt != refcnt_before) {
++		atf_tc_fail("after state deref, count is wrong, before %d, after: %d",
++			    refcnt_before, option->refcnt);
++	}
++}
++
+ /* This macro defines main() method that will call specified
+    test cases. tp and simple_test_case names can be whatever you want
+    as long as it is a valid variable identifier. */
+@@ -207,6 +260,7 @@ ATF_TP_ADD_TCS(tp)
+     ATF_TP_ADD_TC(tp, option_refcnt);
+     ATF_TP_ADD_TC(tp, pretty_print_option);
+     ATF_TP_ADD_TC(tp, parse_code93_option);
++    ATF_TP_ADD_TC(tp, add_option_ref_cnt);
+ 
+     return (atf_no_error());
+ }
+-- 
+2.27.0
+

backport-Fix-CVE-2022-2929.patch

@@ -0,0 +1,34 @@
+Conflict:NA
+Reference:https://downloads.isc.org/isc/dhcp/4.4.3-P1/patches/CVE-2022-2929.4-4-3.diff
+---
+ common/options.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/common/options.c b/common/options.c
+index 40238f7..11b1961 100644
+--- a/common/options.c
++++ b/common/options.c
+@@ -454,16 +454,16 @@ int fqdn_universe_decode (struct option_state *options,
+ 		while (s < &bp -> data[0] + length + 2) {
+ 			len = *s;
+ 			if (len > 63) {
+-				log_info ("fancy bits in fqdn option");
+-				return 0;
++				log_info ("label length exceeds 63 in fqdn option");
++				goto bad;
+ 			}
+ 			if (len == 0) {
+ 				terminated = 1;
+ 				break;
+ 			}
+ 			if (s + len > &bp -> data [0] + length + 3) {
+-				log_info ("fqdn tag longer than buffer");
+-				return 0;
++				log_info ("fqdn label longer than buffer");
++				goto bad;
+ 			}
+ 
+ 			if (first_len == 0) {
+-- 
+2.27.0
+

dhcp.spec

@@ -3,7 +3,7 @@
 
 Name:      dhcp
 Version:   4.4.2
-Release:   14
+Release:   15
 Summary:   Dynamic host configuration protocol software
 #Please don't change the epoch on this package
 Epoch:     12
@@ -65,6 +65,8 @@ Patch41: backport-Fix-CVE-2021-25214.patch
 Patch42: backport-Fix-CVE-2021-25215.patch
 Patch43: backport-Fix-CVE-2021-25219.patch
 Patch44: backport-Fix-CVE-2021-25220.patch
+Patch45: backport-Fix-CVE-2022-2928.patch
+Patch46: backport-Fix-CVE-2022-2929.patch
 
 BuildRequires: gcc autoconf automake libtool openldap-devel krb5-devel libcap-ng-devel
 BuildRequires: systemd systemd-devel
@@ -309,6 +311,12 @@ exit 0
 %{_mandir}/man3/omapi.3.gz
 
 %changelog
+* Mon Oct 17 2022 renmingshuai <renmingshuai@huawei.com> - 12:4.4.2-15
+- Type:cves
+- ID:CVE-2022-2928,CVE-2022-2929
+- SUG:restart
+- DESC:Fix CVE-2022-2928 and CVE-2022-2929
+
 * Tue Sep 27 2022 renmingshuai <renmingshuai@huawei.com> - 12:4.4.2-14
 - Type:cves
 - ID:CVE-2021-25214, CVE-2021-25215, CVE-2021-25219, CVE-2021-25220