diff options
| author | Prasad J Pandit <pjp@fedoraproject.org> | 2017-07-17 17:33:26 +0530 |
|---|---|---|
| committer | Samuel Thibault <samuel.thibault@ens-lyon.org> | 2017-08-03 00:26:44 +0200 |
| commit | 27731580d379716f2a0b4ea7d27486dd9c29198a (patch) | |
| tree | 54d4b78d60bf75b605b10a07dd108bac4514264e | |
| parent | db0dd60b8c8de91ef3f6d66a2d0c2b62ab94c400 (diff) | |
| download | slirp-27731580d379716f2a0b4ea7d27486dd9c29198a.zip slirp-27731580d379716f2a0b4ea7d27486dd9c29198a.tar.gz slirp-27731580d379716f2a0b4ea7d27486dd9c29198a.tar.bz2 | |
slirp: check len against dhcp options array endv2.10.0-rc4v2.10.0-rc3v2.10.0-rc2v2.10.0
While parsing dhcp options string in 'dhcp_decode', if an options'
length 'len' appeared towards the end of 'bp_vend' array, ensuing
read could lead to an OOB memory access issue. Add check to avoid it.
This is CVE-2017-11434.
Reported-by: Reno Robert <renorobert@gmail.com>
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
Signed-off-by: Samuel Thibault <samuel.thibault@ens-lyon.org>
| -rw-r--r-- | bootp.c | 3 |
1 files changed, 3 insertions, 0 deletions
@@ -129,6 +129,9 @@ static void dhcp_decode(const struct bootp_t *bp, int *pmsg_type, if (p >= p_end) break; len = *p++; + if (p + len > p_end) { + break; + } DPRINTF("dhcp: tag=%d len=%d\n", tag, len); switch (tag) { |