[NMS-9420] No bounds-checking in processing of DHCP Options - The OpenNMS Issue Tracker

Details

Type: Bug
Status: Resolved (View Workflow)
Priority: Critical
Resolution: Fixed
Affects Version/s: Meridian-2016.1.3
Fix Version/s: 20.1.0, Meridian-2016.1.7, Meridian-2017.1.0
Component/s: Polling / Monitors / Outages
Security Level: Default (Default Security Scheme)
Labels:
- dhcpd
- support
Environment:
See https://mynms.opennms.com/Ticket/Display.html?id=5095

Sprint:
Horizon - September 6th

Description

User reports the following messages in dhcpd.log:

2017-05-30 14:43:08,512 WARN  [DHCPReceiver] o.o.n.d.Receiver: An error occurred when reading DHCP response. Ignoring exception:
java.lang.ArrayIndexOutOfBoundsException: 312
        at edu.bucknell.net.JDHCP.DHCPOptions.internalize(DHCPOptions.java:120) ~[jdhcp-1.1.1.jar:?]
        at edu.bucknell.net.JDHCP.DHCPMessage.internalize(DHCPMessage.java:423) ~[jdhcp-1.1.1.jar:?]
        at edu.bucknell.net.JDHCP.DHCPMessage.<init>(DHCPMessage.java:242) ~[jdhcp-1.1.1.jar:?]
        at org.opennms.netmgt.dhcpd.Receiver.run(Receiver.java:134) [org.opennms.protocols.dhcp-2016.1.3.jar:?]
        at java.lang.Thread.run(Thread.java:745) [?:1.8.0_92]

I tracked down a copy of the jdhcp-1.1.1 source code and found that the DHCPOptions class' internalize method does no bounds checking.

The jDHCP project looks orphaned; should we consider adopting it and implementing some defensive code here? Or can we handle the exception gracefully on our side?

Attachments

Activity

People

Assignee:

Benjamin Reed

Reporter:

Jeff Gehlbach

Votes:

0 Vote for this issue

Watchers:

2 Start watching this issue

Dates

Created:

12/Jun/17 11:41 AM

Updated:

20/Sep/17 3:32 PM

Resolved:

11/Sep/17 3:36 PM