protocols/dhcpv4/pcap: stack buffer overflow in fr_dhcpv4_pcap_send — no bounds check...

author Alexander Bainbridge-Sedivy <alex.bainbridge@inkbridge.io>

Fri, 29 May 2026 19:22:53 +0000 (15:22 -0400)

committer Alan T. DeKok <aland@freeradius.org>

Mon, 1 Jun 2026 19:31:14 +0000 (15:31 -0400)
author Alexander Bainbridge-Sedivy <alex.bainbridge@inkbridge.io>
Fri, 29 May 2026 19:22:53 +0000 (15:22 -0400)
committer Alan T. DeKok <aland@freeradius.org>
Mon, 1 Jun 2026 19:31:14 +0000 (15:31 -0400)
diff --git a/src/protocols/dhcpv4/pcap.c b/src/protocols/dhcpv4/pcap.c

index bbd56e1fdbb62090466d8b05576622193221a706..1ab982f156b3ebe1715cf00248a73055c2dab306 100644 (file)
--- a/src/protocols/dhcpv4/pcap.c
+++ b/src/protocols/dhcpv4/pcap.c
@@ -47,6 +47,7 @@ int fr_dhcpv4_pcap_send(fr_pcap_t *pcap, uint8_t *dst_ether_addr, fr_packet_t *p
         /* Pointer to the current position in the frame */
         uint8_t                 *end = dhcp_packet;
         uint16_t                l4_len;
+       size_t                  header_len;
  
         /* fill in Ethernet layer (L2) */
         eth_hdr = (ethernet_header_t *)dhcp_packet;
@@ -85,6 +86,12 @@ int fr_dhcpv4_pcap_send(fr_pcap_t *pcap, uint8_t *dst_ether_addr, fr_packet_t *p
  
         /* DHCP layer (L7) */
         /* just copy what FreeRADIUS has encoded for us. */
+       header_len = (size_t)(end - dhcp_packet);
+       if (packet->data_len > sizeof(dhcp_packet) - header_len) {
+               fr_strerror_printf("DHCP packet too large (%zu bytes), maximum %zu bytes",
+                                               packet->data_len, sizeof(dhcp_packet) - header_len);
+               return -1;
+       }
         memcpy(end, packet->data, packet->data_len);
  
         /* UDP checksum is done here */
author	Alexander Bainbridge-Sedivy <alex.bainbridge@inkbridge.io>
	Fri, 29 May 2026 19:22:53 +0000 (15:22 -0400)
committer	Alan T. DeKok <aland@freeradius.org>
	Mon, 1 Jun 2026 19:31:14 +0000 (15:31 -0400)