From: Prasad J Pandit <pjp@fedoraproject.org>
While parsing dhcp options string in 'dhcp_decode', if an options'
length 'len' appeared towards the end of 'bp_vend' array, ensuing
read could lead to an OOB memory access issue. Add check to avoid it.
Reported-by: Reno Robert <renorobert@gmail.com>
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
---
slirp/bootp.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/slirp/bootp.c b/slirp/bootp.c
index 5a4646c..5dd1a41 100644
--- a/slirp/bootp.c
+++ b/slirp/bootp.c
@@ -123,6 +123,9 @@ static void dhcp_decode(const struct bootp_t *bp, int *pmsg_type,
if (p >= p_end)
break;
len = *p++;
+ if (p + len > p_end) {
+ break;
+ }
DPRINTF("dhcp: tag=%d len=%d\n", tag, len);
switch(tag) {
--
2.9.4
P J P, on lun. 17 juil. 2017 17:33:26 +0530, wrote: > From: Prasad J Pandit <pjp@fedoraproject.org> > > While parsing dhcp options string in 'dhcp_decode', if an options' > length 'len' appeared towards the end of 'bp_vend' array, ensuing > read could lead to an OOB memory access issue. Add check to avoid it. > > Reported-by: Reno Robert <renorobert@gmail.com> > Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org> Oops, sure, applied to my tree, thanks! Samuel
+ if (p + len > p_end) { Shouldn't this be (p + len >= p_end) ? On Mon, Jul 17, 2017 at 8:18 PM, Samuel Thibault <samuel.thibault@gnu.org> wrote: > P J P, on lun. 17 juil. 2017 17:33:26 +0530, wrote: >> From: Prasad J Pandit <pjp@fedoraproject.org> >> >> While parsing dhcp options string in 'dhcp_decode', if an options' >> length 'len' appeared towards the end of 'bp_vend' array, ensuing >> read could lead to an OOB memory access issue. Add check to avoid it. >> >> Reported-by: Reno Robert <renorobert@gmail.com> >> Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org> > > Oops, sure, applied to my tree, thanks! > > Samuel -- Regards, Reno Robert http://v0ids3curity.blogspot.in/
Reno Robert, on lun. 17 juil. 2017 23:10:02 +0530, wrote: > + if (p + len > p_end) { > > Shouldn't this be (p + len >= p_end) ? No: if p_end-p is 1, len being 1 is fine. Samuel
17.07.2017 17:48, Samuel Thibault wrote: > P J P, on lun. 17 juil. 2017 17:33:26 +0530, wrote: >> From: Prasad J Pandit <pjp@fedoraproject.org> >> >> While parsing dhcp options string in 'dhcp_decode', if an options' >> length 'len' appeared towards the end of 'bp_vend' array, ensuing >> read could lead to an OOB memory access issue. Add check to avoid it. >> >> Reported-by: Reno Robert <renorobert@gmail.com> >> Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org> > > Oops, sure, applied to my tree, thanks! Can we have it in 2.10 please? This is CVE-2017-11434, which can be mentioned in the commit message. Thanks, /mjt
© 2016 - 2024 Red Hat, Inc.