From dcb205850c8e1abf3e7eba72191d34b3941596c9 Mon Sep 17 00:00:00 2001
From: Zhixiong Chi <zhixiong.chi@windriver.com>
Date: Mon, 13 Nov 2023 18:15:57 -0800
Subject: [PATCH] isc-dhcp: fix CVE-2022-2929

Backport the source patch from the version 4.4.1-2.3+deb11u2.
[https://sources.debian.org/src/isc-dhcp/4.4.1-2.3+deb11u2/debian/patches/CVE-2022-2929.patch]

Refer to:
https://security-tracker.debian.org/tracker/DSA-5251-1
It refers to two issues, CVE-2022-2928 and CVE-2022-2929.
CVE-2022-2928 has been fixed in
[https://review.opendev.org/c/starlingx/integ/+/865278]

Pass: build-pkgs -c -p isc-dhcp
Pass: build-pkgs -a
Pass: build-image
Pass: Debian AIO jenkins installation

Issue is very difficult to reproduce, so we are simply focused on
making sure that this doesn't break anything.

Closes-Bug: 2043434

Signed-off-by: Zhixiong Chi <zhixiong.chi@windriver.com>
Change-Id: Ie9148ea007526160b34c57df5f98d776c04dbe3a
---
 base/dhcp/debian/patches/CVE-2022-2929.patch | 47 ++++++++++++++++++++
 base/dhcp/debian/patches/series              |  1 +
 2 files changed, 48 insertions(+)
 create mode 100644 base/dhcp/debian/patches/CVE-2022-2929.patch

diff --git a/base/dhcp/debian/patches/CVE-2022-2929.patch b/base/dhcp/debian/patches/CVE-2022-2929.patch
new file mode 100644
index 000000000..3ee0b0f13
--- /dev/null
+++ b/base/dhcp/debian/patches/CVE-2022-2929.patch
@@ -0,0 +1,47 @@
+From 10c175968fbbabc20316b85b85185f946499ec40 Mon Sep 17 00:00:00 2001
+From: Zhixiong Chi <zhixiong.chi@windriver.com>
+Date: Mon, 13 Nov 2023 18:12:08 -0800
+Subject: [PATCH] CVE-2022-2929
+
+Description: DHCP memory leak
+Origin: upstream
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2022-2929
+Forwarded: not-needed
+Last-Update: 2022-10-04
+
+The upstream patch is only in diff format without a git header which I
+have created here.
+[Backport patch from https://sources.debian.org/src/isc-dhcp/4.4.1-2.3%252Bdeb11u2/debian/patches/CVE-2022-2929.patch]
+Signed-off-by: Zhixiong Chi <zhixiong.chi@windriver.com>
+---
+ common/options.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/common/options.c b/common/options.c
+index 253cbc1..c70a8ac 100644
+--- a/common/options.c
++++ b/common/options.c
+@@ -449,16 +449,16 @@ int fqdn_universe_decode (struct option_state *options,
+ 		while (s < &bp -> data[0] + length + 2) {
+ 			len = *s;
+ 			if (len > 63) {
+-				log_info ("fancy bits in fqdn option");
+-				return 0;
++				log_info ("label length exceeds 63 in fqdn option");
++				goto bad;
+ 			}
+ 			if (len == 0) {
+ 				terminated = 1;
+ 				break;
+ 			}
+ 			if (s + len > &bp -> data [0] + length + 3) {
+-				log_info ("fqdn tag longer than buffer");
+-				return 0;
++				log_info ("fqdn label longer than buffer");
++				goto bad;
+ 			}
+ 
+ 			if (first_len == 0) {
+-- 
+2.42.0
+
diff --git a/base/dhcp/debian/patches/series b/base/dhcp/debian/patches/series
index 7f729ae15..d067a7e8e 100644
--- a/base/dhcp/debian/patches/series
+++ b/base/dhcp/debian/patches/series
@@ -3,3 +3,4 @@ dhclient-ipv6-bind-to-interface.patch
 dhclient-ipv6-conditionally-set-hostname.patch
 dhclient-set-the-default-prefix-length-to-64.patch
 CVE-2022-2928.patch
+CVE-2022-2929.patch