diff options
author | Lennart Poettering <lennart@poettering.net> | 2018-10-19 12:12:33 +0200 |
---|---|---|
committer | Thomas Haller <thaller@redhat.com> | 2018-10-27 22:03:01 +0200 |
commit | 01ca2053bbea09f35b958c8cc7631e15469acb79 (patch) | |
tree | 8dd8e47dfba9d15db80e0f4d92c683bfd34343ff | |
parent | 05872d554ff1a783aab9fee0fc559c7b99179f8b (diff) |
dhcp6: make sure we have enough space for the DHCP6 option header
Fixes a vulnerability originally discovered by Felix Wilhelm from
Google.
CVE-2018-15688
LP: #1795921
https://bugzilla.redhat.com/show_bug.cgi?id=1639067
(cherry picked from commit 4dac5eaba4e419b29c97da38a8b1f82336c2c892)
-rw-r--r-- | src/systemd/src/libsystemd-network/dhcp6-option.c | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/src/systemd/src/libsystemd-network/dhcp6-option.c b/src/systemd/src/libsystemd-network/dhcp6-option.c index d178fe2b3c..9027c14e1e 100644 --- a/src/systemd/src/libsystemd-network/dhcp6-option.c +++ b/src/systemd/src/libsystemd-network/dhcp6-option.c @@ -108,7 +108,7 @@ int dhcp6_option_append_ia(uint8_t **buf, size_t *buflen, const DHCP6IA *ia) { return -EINVAL; } - if (*buflen < len) + if (*buflen < offsetof(DHCP6Option, data) + len) return -ENOBUFS; ia_hdr = *buf; |