From: Roy Marples <roy@marples.name>
Date: Fri, 19 Apr 2019 08:45:02 +0000 (+0100)
Subject: DHCPv6: Fix a potential buffer overflow reading NA/TA addresses
X-Git-Tag: v7.2.1~26
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=43961c178e83483eab538b52b5a7722d4c4093fd;p=thirdparty%2Fdhcpcd.git

DHCPv6: Fix a potential buffer overflow reading NA/TA addresses

Only copy upto the size of the address option rather than the
option length.

Found by Maxime Villard <max@m00nbsd.net>
---

diff --git a/src/dhcp6.c b/src/dhcp6.c
index 99a452bb..8fc4f000 100644
--- a/src/dhcp6.c
+++ b/src/dhcp6.c
@@ -2029,12 +2029,12 @@ dhcp6_findna(struct interface *ifp, uint16_t ot, const uint8_t *iaid,
 		nd = o + ol;
 		l -= (size_t)(nd - d);
 		d = nd;
-		if (ol < 24) {
+		if (ol < sizeof(ia)) {
 			errno = EINVAL;
 			logerrx("%s: IA Address option truncated", ifp->name);
 			continue;
 		}
-		memcpy(&ia, o, ol);
+		memcpy(&ia, o, sizeof(ia));
 		ia.pltime = ntohl(ia.pltime);
 		ia.vltime = ntohl(ia.vltime);
 		/* RFC 3315 22.6 */