From: Roy Marples <roy@marples.name>
Date: Mon, 20 Aug 2007 15:36:41 +0000 (+0000)
Subject: Fix a potential heap overflow in decode_CSR when CIDR > 32.
X-Git-Tag: v3.2.3~210
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=735402ffd79a9470925e25a9e629840b96e9df73;p=thirdparty%2Fdhcpcd.git

Fix a potential heap overflow in decode_CSR when CIDR > 32.
---

diff --git a/ChangeLog b/ChangeLog
index 44874cc3..aec061e6 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,4 @@
+Fix a potential heap overflow in decode_CSR when CIDR > 32.
 Fix a potential heap overflow in decode_sipservers when length is 1.
 -L actually doesn't do IPv4LL as advertised.
 
diff --git a/dhcp.c b/dhcp.c
index 408440a9..80ca8b51 100644
--- a/dhcp.c
+++ b/dhcp.c
@@ -374,6 +374,12 @@ static route_t *decode_CSR(const unsigned char *p, int len)
 		memset (route, 0, sizeof (route_t));
 
 		cidr = *q++;
+		if (cidr > 32) {
+			logger (LOG_ERR, "invalid CIDR of %d in classless static route",
+					cidr);
+			free_route (first);
+			return (NULL);
+		}
 		ocets = (cidr + 7) / 8;
 
 		if (ocets > 0) {