ALT Linux repos
| S: | 9.4.0-alt2 |
| D: | 4.0.0-alt0.1.rc4 |
| 5.0: | 4.0.13-alt2 |
| 4.1: | 3.0.17-alt4 |
| 4.0: | 3.0.17-alt2.M40.1 |
| 3.0: | 1.3.22pl4-alt3 |
| +backports: | 3.0.17-alt3.M30 |
Group :: System/Servers
RPM: dhcpcd
Navigation
Main Changelog Spec Patches Sources Download Gear Bugs and FR Repocop
Patch: DHCPv6-Fix-a-potential-buffer-overflow-reading-NA-TA.patch
Download
Download
From 8d11b33f6c60e2db257130fa383ba76b6018bcf6 Mon Sep 17 00:00:00 2001
From: Roy Marples <roy@marples.name>
Date: Fri, 19 Apr 2019 09:45:02 +0100
Subject: [PATCH] DHCPv6: Fix a potential buffer overflow reading NA/TA
addresses
Only copy upto the size of the address option rather than the
option length.
Found by Maxime Villard <max@m00nbsd.net>
---
src/dhcp6.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/src/dhcp6.c b/src/dhcp6.c
index 99a452bb..8fc4f000 100644
--- a/src/dhcp6.c
+++ b/src/dhcp6.c
@@ -2029,12 +2029,12 @@ dhcp6_findna(struct interface *ifp, uint16_t ot, const uint8_t *iaid,
nd = o + ol;
l -= (size_t)(nd - d);
d = nd;
- if (ol < 24) {+ if (ol < sizeof(ia)) {errno = EINVAL;
logerrx("%s: IA Address option truncated", ifp->name);continue;
}
- memcpy(&ia, o, ol);
+ memcpy(&ia, o, sizeof(ia));
ia.pltime = ntohl(ia.pltime);
ia.vltime = ntohl(ia.vltime);
/* RFC 3315 22.6 */
--
2.21.0