DHCPv6: Fix a potential buffer overflow reading NA/TA addresses

author Roy Marples <roy@marples.name>

Fri, 19 Apr 2019 08:45:02 +0000 (09:45 +0100)

committer Roy Marples <roy@marples.name>

Fri, 19 Apr 2019 08:45:02 +0000 (09:45 +0100)
author Roy Marples <roy@marples.name>
Fri, 19 Apr 2019 08:45:02 +0000 (09:45 +0100)
committer Roy Marples <roy@marples.name>
Fri, 19 Apr 2019 08:45:02 +0000 (09:45 +0100)
diff --git a/src/dhcp6.c b/src/dhcp6.c

index 99a452bb1d40431ec529ddf09f94d00fbb318319..8fc4f00080c5a6cd9978cd67da3a7a6bae40abd2 100644 (file)
--- a/src/dhcp6.c
+++ b/src/dhcp6.c
@@ -2029,12 +2029,12 @@ dhcp6_findna(struct interface *ifp, uint16_t ot, const uint8_t *iaid,
                 nd = o + ol;
                 l -= (size_t)(nd - d);
                 d = nd;
-               if (ol < 24) {
+               if (ol < sizeof(ia)) {
                         errno = EINVAL;
                         logerrx("%s: IA Address option truncated", ifp->name);
                         continue;
                 }
-               memcpy(&ia, o, ol);
+               memcpy(&ia, o, sizeof(ia));
                 ia.pltime = ntohl(ia.pltime);
                 ia.vltime = ntohl(ia.vltime);
                 /* RFC 3315 22.6 */
author	Roy Marples <roy@marples.name>
	Fri, 19 Apr 2019 08:45:02 +0000 (09:45 +0100)
committer	Roy Marples <roy@marples.name>
	Fri, 19 Apr 2019 08:45:02 +0000 (09:45 +0100)