Fix a potential heap overflow in decode_CSR when CIDR > 32.

author Roy Marples <roy@marples.name>

Mon, 20 Aug 2007 15:36:41 +0000 (15:36 +0000)

committer Roy Marples <roy@marples.name>

Mon, 20 Aug 2007 15:36:41 +0000 (15:36 +0000)
author Roy Marples <roy@marples.name>
Mon, 20 Aug 2007 15:36:41 +0000 (15:36 +0000)
committer Roy Marples <roy@marples.name>
Mon, 20 Aug 2007 15:36:41 +0000 (15:36 +0000)
diff --git a/ChangeLog b/ChangeLog

index 44874cc3c0b060a0319366790d274bc7c3e64891..aec061e6675d77763b95eca63b47d7cb90c93013 100644 (file)
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,4 @@
+Fix a potential heap overflow in decode_CSR when CIDR > 32.
  Fix a potential heap overflow in decode_sipservers when length is 1.
  -L actually doesn't do IPv4LL as advertised.
  
diff --git a/dhcp.c b/dhcp.c

index 408440a98445a81568e755d3d9780337e4c23efe..80ca8b51a64234b32379200d528e1ef8d20ab75c 100644 (file)
--- a/dhcp.c
+++ b/dhcp.c
@@ -374,6 +374,12 @@ static route_t *decode_CSR(const unsigned char *p, int len)
                 memset (route, 0, sizeof (route_t));
  
                 cidr = *q++;
+               if (cidr > 32) {
+                       logger (LOG_ERR, "invalid CIDR of %d in classless static route",
+                                       cidr);
+                       free_route (first);
+                       return (NULL);
+               }
                 ocets = (cidr + 7) / 8;
  
                 if (ocets > 0) {
author	Roy Marples <roy@marples.name>
	Mon, 20 Aug 2007 15:36:41 +0000 (15:36 +0000)
committer	Roy Marples <roy@marples.name>
	Mon, 20 Aug 2007 15:36:41 +0000 (15:36 +0000)
ChangeLog		patch \| blob \| blame \| history
dhcp.c		patch \| blob \| blame \| history