| From b745ca9d2d2d127870e6245c50417fc778080e6a Mon Sep 17 00:00:00 2001 |
| From: Samuel Tan <samueltan@google.com> |
| Date: Fri, 08 Jan 2016 09:46:36 -0800 |
| Subject: [PATCH] UPSTREAM: Ensure that option length fits inside data length less option size |
| |
| Ensure that option length fits inside data length less option size. |
| Thanks to Nico Golde for the report. Fixes CVE-2016-1504 |
| |
| http://roy.marples.name/projects/dhcpcd/ci/595883e2a431f65d?sbs=1 |
| |
| BUG=b:26461547 |
| |
| Reviewed-on: https://android-review.googlesource.com/#/c/195321/ |
| |
| --- |
| |
| diff --git a/dhcp.c b/dhcp.c |
| index 5bb16b9..f1cdc36 100644 |
| --- a/dhcp.c |
| +++ b/dhcp.c |
| @@ -1257,12 +1257,13 @@ |
| *os = 2; /* code + len */ |
| *code = (unsigned int)*od++; |
| *len = (size_t)*od++; |
| - if (*len > ol) { |
| + if (*len > ol - *os) { |
| errno = EINVAL; |
| return NULL; |
| } |
| } |
| |
| + *oopt = NULL; |
| for (i = 0, opt = ctx->dhcp_opts; i < ctx->dhcp_opts_len; i++, opt++) { |
| if (opt->option == *code) { |
| *oopt = opt; |
| diff --git a/dhcp6.c b/dhcp6.c |
| index 238acd4..ea37fe3 100644 |
| --- a/dhcp6.c |
| +++ b/dhcp6.c |
| @@ -258,7 +258,7 @@ |
| } |
| o = (const struct dhcp6_option *)od; |
| *len = ntohs(o->len); |
| - if (*len > ol) { |
| + if (*len > ol - *os) { |
| errno = EINVAL; |
| return NULL; |
| } |
| @@ -266,6 +266,7 @@ |
| } else |
| o = NULL; |
| |
| + *oopt = NULL; |
| for (i = 0, opt = ctx->dhcp6_opts; |
| i < ctx->dhcp6_opts_len; i++, opt++) |
| { |