Debian: DSA 245-1 Critical: DHCP3 Packet Storm Remote Exploit

Florian Lohoff discovered a bug in the dhcrelay causing it to send a
continuing packet storm towards the configured DHCP server(s) in case
of a malicious BOOTP packet, such as sent from buggy Cisco switches.

When the dhcp-relay receives a BOOTP request it forwards the request
to the DHCP server using the broadcast MAC address ff:ff:ff:ff:ff:ff
which causes the network interface to reflect the packet back into the
socket. To prevent loops the dhcrelay checks whether the
relay-address is its own, in which case the packet would be dropped.
In combination with a missing upper boundary for the hop counter an
attacker can force the dhcp-relay to send a continuing packet storm
towards the configured dhcp server(s).

This patch introduces a new commandline switch ``-c maxcount' and
people are advised to start the dhcp-relay with ``dhcrelay -c 10'
or a smaller number, which will only create that many packets.

The dhcrelay program from the ``dhcp' package does not seem to be
affected since DHCP packets are ...