Message ID | 20170802222607.32085-3-samuel.thibault@ens-lyon.org |
---|---|
State | New |
Headers | show |
Samuel Thibault, on jeu. 03 août 2017 00:26:07 +0200, wrote: > From: Prasad J Pandit <pjp@fedoraproject.org> > > While parsing dhcp options string in 'dhcp_decode', if an options' > length 'len' appeared towards the end of 'bp_vend' array, ensuing > read could lead to an OOB memory access issue. Add check to avoid it. > > Reported-by: Reno Robert <renorobert@gmail.com> > Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org> > Signed-off-by: Samuel Thibault <samuel.thibault@ens-lyon.org> Oops, this should have mentioned the CVE, I'll redo the pull request, sorry. > --- > slirp/bootp.c | 3 +++ > 1 file changed, 3 insertions(+) > > diff --git a/slirp/bootp.c b/slirp/bootp.c > index 5a4646c182..5dd1a415b5 100644 > --- a/slirp/bootp.c > +++ b/slirp/bootp.c > @@ -123,6 +123,9 @@ static void dhcp_decode(const struct bootp_t *bp, int *pmsg_type, > if (p >= p_end) > break; > len = *p++; > + if (p + len > p_end) { > + break; > + } > DPRINTF("dhcp: tag=%d len=%d\n", tag, len); > > switch(tag) { > -- > 2.13.2 >
diff --git a/slirp/bootp.c b/slirp/bootp.c index 5a4646c182..5dd1a415b5 100644 --- a/slirp/bootp.c +++ b/slirp/bootp.c @@ -123,6 +123,9 @@ static void dhcp_decode(const struct bootp_t *bp, int *pmsg_type, if (p >= p_end) break; len = *p++; + if (p + len > p_end) { + break; + } DPRINTF("dhcp: tag=%d len=%d\n", tag, len); switch(tag) {