diff options
author | Samuel Tan <samueltan@google.com> | 2016-01-08 09:46:36 -0800 |
---|---|---|
committer | Samuel Tan <samueltan@google.com> | 2016-01-08 09:46:36 -0800 |
commit | b745ca9d2d2d127870e6245c50417fc778080e6a (patch) | |
tree | 191d5ec478ef80cbe6d138d8d5d4e76fb53b35b2 | |
parent | ddbf02ae19016710a31fca4b2bc26f08a6fe191f (diff) | |
download | dhcpcd-6.8.2-b745ca9d2d2d127870e6245c50417fc778080e6a.tar.gz |
[PATCH] UPSTREAM: Ensure that option length fits inside data length less option sizebrillo-m9-releasebrillo-m9-dev
Ensure that option length fits inside data length less option size.
Thanks to Nico Golde for the report. Fixes CVE-2016-1504
http://roy.marples.name/projects/dhcpcd/ci/595883e2a431f65d?sbs=1
BUG: 26461547
Change-Id: I8bbb01eda998a0d7e552dcd4bf22db14c796d90e
-rw-r--r-- | dhcp.c | 3 | ||||
-rw-r--r-- | dhcp6.c | 3 |
2 files changed, 4 insertions, 2 deletions
@@ -1257,12 +1257,13 @@ dhcp_getoption(struct dhcpcd_ctx *ctx, *os = 2; /* code + len */ *code = (unsigned int)*od++; *len = (size_t)*od++; - if (*len > ol) { + if (*len > ol - *os) { errno = EINVAL; return NULL; } } + *oopt = NULL; for (i = 0, opt = ctx->dhcp_opts; i < ctx->dhcp_opts_len; i++, opt++) { if (opt->option == *code) { *oopt = opt; @@ -258,7 +258,7 @@ dhcp6_getoption(struct dhcpcd_ctx *ctx, } o = (const struct dhcp6_option *)od; *len = ntohs(o->len); - if (*len > ol) { + if (*len > ol - *os) { errno = EINVAL; return NULL; } @@ -266,6 +266,7 @@ dhcp6_getoption(struct dhcpcd_ctx *ctx, } else o = NULL; + *oopt = NULL; for (i = 0, opt = ctx->dhcp6_opts; i < ctx->dhcp6_opts_len; i++, opt++) { |