[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#605808: marked as done (rdnssd does not properly handle the lifetime field of the RDNSS option)



Your message dated Fri, 14 Oct 2016 10:23:35 +0000
with message-id <E1buzeJ-0001KB-Jj@franck.debian.org>
and subject line Bug#605808: fixed in ndisc6 1.0.3-1
has caused the Debian Bug report #605808,
regarding rdnssd does not properly handle the lifetime field of the RDNSS option
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
605808: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=605808
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message ---
Package: rdnssd
Version: 0.9.7-1
Severity: normal
Tags: patch

Hi,

According to RFC 5006, section 5.1, the lifetime field of an RDNSS option has a
special meaning for the values of zero and all-ones:

   A value of all one bits (0xffffffff) represents infinity.  A value of
   zero means that the RDNSS address MUST no longer be used.

Thus said, rdnssd unconditionally adds the value of lifetime to the 
current timestamp (now), which causes two undesired effects:

1. In the case of all ones, it causes the unsigned 32-bit expiry variable to
   wrap-around and the subsequent code to completely ignore the DNS servers specified.
2. In the case of lifetime being zero, it ignores the current RDNSS, but does
   not remove the specified nameservers from the server list.

Attached you will find a patch working around this issue. The patch is 
against 1.0.0, but it applies cleanly to 0.9.7 as well.

Thanks

-- System Information:
Debian Release: 5.0.7
  APT prefers stable
  APT policy: (500, 'stable'), (80, 'testing'), (70, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.32-5-amd64 (SMP w/2 CPU cores)
Locale: LANG=el_GR.UTF-8, LC_CTYPE=el_GR.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash

Versions of packages rdnssd depends on:
ii  adduser                       3.110      add and remove users and groups
ii  libc6                         2.10.2-2   GNU C Library: Shared libraries

Versions of packages rdnssd recommends:
pn  resolvconf                    <none>     (no description available)

Versions of packages rdnssd suggests:
ii  ndisc6                        0.9.7-1    IPv6 diagnostic tools

-- no debconf information
Index: ndisc6-1.0.0/rdnssd/rdnssd.c
===================================================================
--- ndisc6-1.0.0.orig/rdnssd/rdnssd.c	2010-12-02 21:53:21.000000000 +0200
+++ ndisc6-1.0.0/rdnssd/rdnssd.c	2010-12-02 22:57:49.000000000 +0200
@@ -156,6 +156,19 @@
 			if ((expiry - servers.list[MAX_RDNSS - 1].expiry) >= 0)
 				i = MAX_RDNSS - 1;
 		}
+	} else if (expiry == now) {
+		/* Per RFC 5006 "A [lifetime] value of zero means that the
+		   RDNSS address MUST no longer be used", so remove the
+		   server from the list and replace it with the last server */
+
+		if (servers.count > 1) {
+			addr = &servers.list[servers.count - 1].addr;
+			ifindex = servers.list[servers.count - 1].ifindex;
+			expiry = servers.list[servers.count - 1].expiry;
+		}
+		servers.count--;
+		if (servers.count == 0)
+			return;
 	}
 
 	memcpy (&servers.list[i].addr, addr, sizeof (*addr));
@@ -185,6 +198,7 @@
 		struct nd_opt_rdnss *rdnss_opt;
 		size_t nd_opt_len = opt->nd_opt_len;
 		uint32_t lifetime;
+		uint32_t rdnss_lifetime;
 
 		if (nd_opt_len == 0 || opts_len < (nd_opt_len << 3))
 			return -1;
@@ -204,7 +218,13 @@
 			now = ts.tv_sec;
 		}
 
-		lifetime = now + ntohl(rdnss_opt->nd_opt_rdnss_lifetime);
+		rdnss_lifetime = ntohl(rdnss_opt->nd_opt_rdnss_lifetime);
+		if (rdnss_lifetime == 0xffffffff) {
+			/* Per RFC 5006, unlimited */
+			lifetime = rdnss_lifetime;
+		} else {
+			lifetime = now + rdnss_lifetime;
+		}
 
 		for (struct in6_addr *addr = (struct in6_addr *) (rdnss_opt + 1);
 		     nd_opt_len >= 2; addr++, nd_opt_len -= 2)

--- End Message ---
--- Begin Message ---
Source: ndisc6
Source-Version: 1.0.3-1

We believe that the bug you reported is fixed in the latest version of
ndisc6, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 605808@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Bernhard Schmidt <berni@debian.org> (supplier of updated ndisc6 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Fri, 14 Oct 2016 09:06:41 +0200
Source: ndisc6
Binary: ndisc6 ndisc6-udeb rdnssd rdnssd-udeb
Architecture: source
Version: 1.0.3-1
Distribution: unstable
Urgency: medium
Maintainer: Bernhard Schmidt <berni@debian.org>
Changed-By: Bernhard Schmidt <berni@debian.org>
Description:
 ndisc6     - IPv6 diagnostic tools
 ndisc6-udeb - IPv6 diagnostic tools (udeb)
 rdnssd     - IPv6 recursive DNS server discovery daemon
 rdnssd-udeb - IPv6 recursive DNS server discovery daemon (udeb)
Closes: 599870 605808 627777 658254 713004
Changes:
 ndisc6 (1.0.3-1) unstable; urgency=medium
 .
   * Adopt package (Closes: #713004)
     - Switch to dh9, enable all hardening
     - Add Vcs-* fields
     - bump standards to 3.9.8, no changes necessary
   * New upstream version 1.0.3
     - Closes: #599870, #605808, #627777, #658254
   * Refresh patches
   * drop perl dependency of rdnssd, the hook is now a shell script
   * fix lsb-base dependency on rdnssd
Checksums-Sha1:
 59f5892f268a4b65310866946913b9b568608474 2023 ndisc6_1.0.3-1.dsc
 7e7e8c9e23c66c0327bd71625f62cb64ec4ffd41 260294 ndisc6_1.0.3.orig.tar.bz2
 f4a288b8ec2444bb57ff9e141d8a0b0ded2b3036 7144 ndisc6_1.0.3-1.debian.tar.xz
Checksums-Sha256:
 961e4a72f7feed44863039db8e536f7d33087c4af55acda39611e7737071b54d 2023 ndisc6_1.0.3-1.dsc
 0f41d6caf5f2edc1a12924956ae8b1d372e3b426bd7b11eed7d38bc974eec821 260294 ndisc6_1.0.3.orig.tar.bz2
 b3928a5f7ef3195f1e5b41ca941603744f4ffc4ec7a8af78a15ff7efff3d1315 7144 ndisc6_1.0.3-1.debian.tar.xz
Files:
 7f17318ce5954b19c85ecf513a97f0f8 2023 net optional ndisc6_1.0.3-1.dsc
 21afdaa3a5a5c1ce50eb7f2b7d795989 260294 net optional ndisc6_1.0.3.orig.tar.bz2
 0eda6bb149b537e4ba59b952794bf74c 7144 net optional ndisc6_1.0.3-1.debian.tar.xz

-----BEGIN PGP SIGNATURE-----

iQIuBAEBCAAYBQJYAJqgERxiZXJuaUBkZWJpYW4ub3JnAAoJEHdQeeW4ULyTTvQP
/jAN8DYbtnoZUINzROsLQv6ezv92kaSf0siV+PSayl7JtYDpF8GcDEIire37/oCX
8bmpmHH0YgJUM8jvNV5Hr9v2SRc7oIVFUc4iMZeznXe2lP3F9115MZJpGbz05adM
SRsNQIKcji/JFxxqwmZRwIT2l8Gt4kvr/CCZFQ6aVaGD73SlDcrTx9Lfen2YZDqk
ZV2RINBKExLEbQtFOJXEybvf1FKJXpbkWPzlaaG8ST1cbqntgcGmN0kgEL+AElqJ
wvz8dDHg1tzEsz7kyiTzTFNe2ctQQ7hnUX7XgTq/uiAzK9kBjmNkznaRE0yPh9nS
6eXj9JMrVLi6Tp5O/IQLKkP0pR+RZs6XsDevwWrGk/LeEm+Pe0VGuarDoW1yFXDJ
IWQBD3Jel1za5T+II4RqM/Lug7xcIEKbfX0hEGceshn6+8X67F0tGYokCvzhp82+
w+eRLTI2iucXcWlfLrORIt3wyRT1OBatdqevs9LTAlOWF0Zhoa4BTcBFDoW7QhN/
za2MSW+Dvq3trwfjVUKtqprOxs8DXn3P1t9u7D7yjCxWS5CyBuPprLwPycdlPkKh
9+mxqciQIYUfQWg9SAsjm9d+iqPjgQqOMbSwfJwWRE5VQq+E3r7Idw5U8RbFNcoi
GtdmJecMl43CaO76Z7h2X9sDYjlKf7f8QkmC9YrbIHJ4
=UvCc
-----END PGP SIGNATURE-----

--- End Message ---

Reply to: