dhclient: Using dhcp-lease-time in expressions

Jordan Russell jr-list-2011 at quo.to
Thu Jan 5 04:58:41 UTC 2012


(cc'ing dhcp-bugs)

On 12/15/2011 10:58 PM, Jordan Russell wrote:
> (2) supersede dhcp-renewal-time =
>       encode-int(extract-int(option dhcp-lease-time, 32) / 10, 32);

I now see why the above statement isn't having an effect.

It turns out that extract-int() always returns null when a bit width of
16 or 32 is specified due to an apparent use-after-destroy flaw in
tree.c (still present in 4.2.3-P1).

The problem lines in the 32-bit path:

    if (status) data_string_forget (&data, MDL);
    return (status && data.len >= 4);

data_string_forget() fills the entire "data" structure with zeroes,
therefore "data.len >= 4" can never evaluate to true.

-- 
Jordan Russell



More information about the dhcp-users mailing list