File dhcp-4.2.2-CVE-2011-4539-regex-DoS.bnc735610.diff of Package dhcp.import5532

From 34f5e08fd3265f950b460dd5886d15984e69a765 Mon Sep 17 00:00:00 2001
From: Marius Tomaschewski <mt@suse.de>
Date: Fri, 9 Dec 2011 13:45:53 +0100
Subject: [PATCH] CVE-2011-4539 regex DoS

Extracted from 4.2.3-P1:
Add a check for a null pointer before calling the regexec function.
Without out this check we could, under some circumstances, pass
a null pointer to the regexec function causing it to segfault.
Thanks to a report from BlueCat Networks. [ISC-Bugs #26704].

Signed-off-by: Marius Tomaschewski <mt@suse.de>
---
 common/dhcp-eval.5 |    4 ++--
 common/tree.c      |    1 +
 2 files changed, 3 insertions(+), 2 deletions(-)

diff --git a/common/dhcp-eval.5 b/common/dhcp-eval.5
index 7228929..55765d4 100644
--- a/common/dhcp-eval.5
+++ b/common/dhcp-eval.5
@@ -133,8 +133,8 @@ extended regex(7) matching of the values of two data expressions, returning
 true if \fIdata-expression-1\fR matches against the regular expression
 evaluated by \fIdata-expression-2\fR, or false if it does not match or
 encounters some error.  If either the left-hand side or the right-hand side 
-are null, the result is also false.  The \fB~~\fR operator differs from the
-\fB~=\fR operator in that it is case-insensitive.
+are null or empty strings, the result is also false.  The \fB~~\fR operator
+differs from the \fB~=\fR operator in that it is case-insensitive.
 .RE
 .PP
 .I boolean-expression-1 \fBand\fR \fIboolean-expression-2\fR
diff --git a/common/tree.c b/common/tree.c
index d09107b..3c978b0 100644
--- a/common/tree.c
+++ b/common/tree.c
@@ -1120,6 +1120,7 @@ int evaluate_boolean_expression (result, packet, lease, client_state,
 		*result = 0;
 		memset(&re, 0, sizeof(re));
 		if (bleft && bright &&
+		    (left.data != NULL) && (right.data != NULL) &&
         	    (regcomp(&re, (char *)right.data, regflags) == 0) &&
 		    (regexec(&re, (char *)left.data, (size_t)0, NULL, 0) == 0))
 				*result = 1;
-- 
1.7.3.4
openSUSE Build Service is sponsored by