1 From 591ed1e90503817938ccf5f127e677a8dd48b6d8 Mon Sep 17 00:00:00 2001
2 From: Simon Kelley <simon@thekelleys.org.uk>
3 Date: Mon, 11 Jul 2016 18:18:42 +0100
4 Subject: [PATCH] Fix bad behaviour with some DHCP option arrangements.
6 The check that there's enough space to store the DHCP agent-id
7 at the end of the packet could succeed when it should fail
8 if the END option is in either of the oprion-overload areas.
9 That could overwrite legit options in the request and cause
10 bad behaviour. It's highly unlikely that any sane DHCP client
11 would trigger this bug, and it's never been seen, but this
14 Also fix off-by-one in bounds checking of option processing.
15 Worst case scenario on that is a read one byte beyond the
16 end off a buffer with a crafted packet, and maybe therefore
17 a SIGV crash if the memory after the buffer is not mapped.
19 Thanks to Timothy Becker for spotting these.
21 src/rfc2131.c | 5 +++--
22 1 file changed, 3 insertions(+), 2 deletions(-)
24 diff --git a/src/rfc2131.c b/src/rfc2131.c
25 index b7c167e..8b99d4b 100644
28 @@ -186,7 +186,8 @@ size_t dhcp_reply(struct dhcp_context *context, char *iface_name, int int_index,
29 be enough free space at the end of the packet to copy the option. */
31 unsigned int total = option_len(opt) + 2;
32 - unsigned char *last_opt = option_find(mess, sz, OPTION_END, 0);
33 + unsigned char *last_opt = option_find1(&mess->options[0] + sizeof(u32), ((unsigned char *)mess) + sz,
35 if (last_opt && last_opt < end - total)
38 @@ -1606,7 +1607,7 @@ static unsigned char *option_find1(unsigned char *p, unsigned char *end, int opt
45 else if (*p == OPTION_END)
46 return opt == OPTION_END ? p : NULL;
projects / ipfire-2.x.git / blob