[#254] Fixed memory leak in FQDN unpacking

RELNOTES
    Added a release note

common/options.c
    fqdn_universe_decode() - replace returns with
    gotos to ensure memory is freed on label length
    errors

diff --git a/RELNOTES b/RELNOTES
index ae96ca2eede307c7a8213f7928df18823fb9a3ff..26cb9f51426054e56e88206c5069e5dc1b1e8822 100644 (file)
--- a/RELNOTES
+++ b/RELNOTES
@@ -36,6 +36,11 @@ by Eric Young (eay@cryptsoft.com).
   [Gitblab #253]
   CVE: CVS-2022-2928
 
+! Corrected a memory leak that occurs when unpacking a packet that has an
+  FQDN option (81) that contains a label whose lenght is greater than 63.
+  [Gitblab #254]
+  CVE: CVS-2022-2929
+
                Changes since 4.4.2-P1 (New Features)
 
 - Two new OMAPI function calls were added, `dhcpctl_timed_connect()`

diff --git a/common/options.c b/common/options.c
index f0959cb2b03a410a053405adb8971f1312dd2f0e..25450e1dfd0363a285e11d16fcc3d615d049f144 100644 (file)
--- a/common/options.c
+++ b/common/options.c
@@ -454,16 +454,16 @@ int fqdn_universe_decode (struct option_state *options,
                while (s < &bp -> data[0] + length + 2) {
                        len = *s;
                        if (len > 63) {
-                               log_info ("fancy bits in fqdn option");
-                               return 0;
+                               log_info ("label length exceeds 63 in fqdn option");
+                               goto bad;
                        }
                        if (len == 0) {
                                terminated = 1;
                                break;
                        }
                        if (s + len > &bp -> data [0] + length + 3) {
-                               log_info ("fqdn tag longer than buffer");
-                               return 0;
+                               log_info ("fqdn label longer than buffer");
+                               goto bad;
                        }
 
                        if (first_len == 0) {