[prev in list] [next in list] [prev in thread] [next in thread]
List: busybox
Subject: Re: [PATCH] udhcpc: Prevent read of option length field beyond end of packet
From: Denys Vlasenko <vda.linux () googlemail ! com>
Date: 2016-10-25 12:27:30
Message-ID: CAK1hOcPtuMtWOAvwPAO80HPdf3SqNeMKYNe3sDR5PYnB69Ky6g () mail ! gmail ! com
[Download RAW message or body]
Applied, thanks!
On Wed, Oct 12, 2016 at 10:53 PM, Brian Foley <bpfoley@google.com> wrote:
>
>
> Signed-off-by: Brian Foley <bpfoley@google.com>
> ---
> networking/udhcp/common.c | 9 +++++++++
> 1 file changed, 9 insertions(+)
>
> diff --git a/networking/udhcp/common.c b/networking/udhcp/common.c
> index 0cf4dab..b6feffd 100644
> --- a/networking/udhcp/common.c
> +++ b/networking/udhcp/common.c
> @@ -225,10 +225,13 @@ uint8_t* FAST_FUNC udhcp_get_option(struct dhcp_packet *packet, int code)
> optionptr = packet->options;
> rem = sizeof(packet->options);
> while (1) {
> + /* Is there enough option payload left to read the option code? */
> if (rem <= 0) {
> bb_error_msg("bad packet, malformed option field");
> return NULL;
> }
> +
> + /* DHCP_PADDING and DHCP_END have no extra option fields */
> if (optionptr[OPT_CODE] == DHCP_PADDING) {
> rem--;
> optionptr++;
> @@ -251,6 +254,12 @@ uint8_t* FAST_FUNC udhcp_get_option(struct dhcp_packet *packet, int code)
> }
> break;
> }
> +
> + /* All other options must have at least a 1 byte len field */
> + if (rem <= 1) {
> + bb_error_msg("bad packet, malformed option field");
> + return NULL;
> + }
> len = 2 + optionptr[OPT_LEN];
> rem -= len;
> if (rem < 0)
> --
> 2.7.4
>
> _______________________________________________
> busybox mailing list
> busybox@busybox.net
> http://lists.busybox.net/mailman/listinfo/busybox
_______________________________________________
busybox mailing list
busybox@busybox.net
http://lists.busybox.net/mailman/listinfo/busybox
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic