From 0d4220fa98fbbd8aa0944a6ed87122b579716ff5 Mon Sep 17 00:00:00 2001

From: Thomas Haller <thaller@redhat.com>

Date: Mon, 10 Sep 2018 15:22:28 +0200

Subject: [PATCH 1/9] systemd/dhcp: fix assertion starting DHCP client without

 MAC address

An assertion in dhcp_network_bind_raw_socket() is triggered when

starting an sd_dhcp_client without setting setting a MAC address

first.

  - sd_dhcp_client_start()

    - client_start()

      - client_start_delayed()

        - dhcp_network_bind_raw_socket()

In that case, the arp-type and MAC address is still unset. Note that

dhcp_network_bind_raw_socket() already checks for a valid arp-type

and MAC address below, so we should just gracefully return -EINVAL.

Maybe sd_dhcp_client_start() should fail earlier when starting without

MAC address. But the failure here will be correctly propagated and

the start aborted.

See-also: https://github.com/systemd/systemd/pull/10054

(cherry picked from commit 34af574d5810ab2b0d6d354cbc28135cde4a55b1)

(cherry picked from commit 0a797bdc2a592385a21e7ed918c08ef54a346d99)

(cherry picked from commit f37ed84ca495ee212b1e82b9c5a5682c4acfebcd)

---

 src/systemd/src/libsystemd-network/dhcp-network.c | 2 --

 1 file changed, 2 deletions(-)

diff --git a/src/systemd/src/libsystemd-network/dhcp-network.c b/src/systemd/src/libsystemd-network/dhcp-network.c

index 90fe29d04..80e9577cd 100644

--- a/src/systemd/src/libsystemd-network/dhcp-network.c

+++ b/src/systemd/src/libsystemd-network/dhcp-network.c

@@ -128,8 +128,6 @@ int dhcp_network_bind_raw_socket(int ifindex, union sockaddr_union *link,

         const uint8_t *bcast_addr = NULL;

         uint8_t dhcp_hlen = 0;

-        assert_return(mac_addr_len > 0, -EINVAL);

-

         if (arp_type == ARPHRD_ETHER) {

                 assert_return(mac_addr_len == ETH_ALEN, -EINVAL);

                 memcpy(&eth_mac, mac_addr, ETH_ALEN);

-- 

2.17.1

From ee92f8164c0ecee86cec104240f0bbe155901891 Mon Sep 17 00:00:00 2001

From: Yu Watanabe <watanabe.yu+github@gmail.com>

Date: Sun, 30 Sep 2018 20:23:58 +0900

Subject: [PATCH 2/9] dhcp6: check option length before reading values

Fixes oss-fuzz#10746

https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=10746.

https://github.com/systemd/systemd/pull/10213

https://github.com/systemd/systemd/commit/84452783b8bcc44e0dbb7fa6ddc6dad8c064bdfe

(cherry picked from commit 484e92e17f93aa9658944dc886d420ef32bc625e)

(cherry picked from commit 0cec1cb93edd2efa6bee8e2ec1000d94a86ec61e)

(cherry picked from commit 8b8b248679ee17b5c8e68fb8e8e6f6cd3ec32f03)

---

 src/systemd/src/libsystemd-network/dhcp6-internal.h  |  2 +-

 src/systemd/src/libsystemd-network/dhcp6-option.c    | 11 ++++++-----

 src/systemd/src/libsystemd-network/sd-dhcp6-client.c |  2 +-

 3 files changed, 8 insertions(+), 7 deletions(-)

diff --git a/src/systemd/src/libsystemd-network/dhcp6-internal.h b/src/systemd/src/libsystemd-network/dhcp6-internal.h

index f1cbd6a4f..06e2e5324 100644

--- a/src/systemd/src/libsystemd-network/dhcp6-internal.h

+++ b/src/systemd/src/libsystemd-network/dhcp6-internal.h

@@ -91,7 +91,7 @@ int dhcp6_option_append_pd(uint8_t *buf, size_t len, DHCP6IA *pd);

 int dhcp6_option_append_fqdn(uint8_t **buf, size_t *buflen, const char *fqdn);

 int dhcp6_option_parse(uint8_t **buf, size_t *buflen, uint16_t *optcode,

                        size_t *optlen, uint8_t **optvalue);

-int dhcp6_option_parse_status(DHCP6Option *option);

+int dhcp6_option_parse_status(DHCP6Option *option, size_t len);

 int dhcp6_option_parse_ia(DHCP6Option *iaoption, DHCP6IA *ia);

 int dhcp6_option_parse_ip6addrs(uint8_t *optval, uint16_t optlen,

                                 struct in6_addr **addrs, size_t count,

diff --git a/src/systemd/src/libsystemd-network/dhcp6-option.c b/src/systemd/src/libsystemd-network/dhcp6-option.c

index a8a56463a..e462b7083 100644

--- a/src/systemd/src/libsystemd-network/dhcp6-option.c

+++ b/src/systemd/src/libsystemd-network/dhcp6-option.c

@@ -249,10 +249,11 @@ int dhcp6_option_parse(uint8_t **buf, size_t *buflen, uint16_t *optcode,

         return 0;

 }

-int dhcp6_option_parse_status(DHCP6Option *option) {

+int dhcp6_option_parse_status(DHCP6Option *option, size_t len) {

         DHCP6StatusOption *statusopt = (DHCP6StatusOption *)option;

-        if (be16toh(option->len) + sizeof(DHCP6Option) < sizeof(*statusopt))

+        if (len < sizeof(DHCP6StatusOption) ||

+            be16toh(option->len) + sizeof(DHCP6Option) < sizeof(DHCP6StatusOption))

                 return -ENOBUFS;

         return be16toh(statusopt->status);

@@ -279,7 +280,7 @@ static int dhcp6_option_parse_address(DHCP6Option *option, DHCP6IA *ia,

         }

         if (be16toh(option->len) + sizeof(DHCP6Option) > sizeof(*addr_option)) {

-                r = dhcp6_option_parse_status((DHCP6Option *)addr_option->options);

+                r = dhcp6_option_parse_status((DHCP6Option *)addr_option->options, be16toh(option->len) + sizeof(DHCP6Option) - sizeof(*addr_option));

                 if (r != 0)

                         return r < 0 ? r: 0;

         }

@@ -319,7 +320,7 @@ static int dhcp6_option_parse_pdprefix(DHCP6Option *option, DHCP6IA *ia,

         }

         if (be16toh(option->len) + sizeof(DHCP6Option) > sizeof(*pdprefix_option)) {

-                r = dhcp6_option_parse_status((DHCP6Option *)pdprefix_option->options);

+                r = dhcp6_option_parse_status((DHCP6Option *)pdprefix_option->options, be16toh(option->len) + sizeof(DHCP6Option) - sizeof(*pdprefix_option));

                 if (r != 0)

                         return r < 0 ? r: 0;

         }

@@ -464,7 +465,7 @@ int dhcp6_option_parse_ia(DHCP6Option *iaoption, DHCP6IA *ia) {

                 case SD_DHCP6_OPTION_STATUS_CODE:

-                        status = dhcp6_option_parse_status(option);

+                        status = dhcp6_option_parse_status(option, optlen);

                         if (status) {

                                 log_dhcp6_client(client, "IA status %d",

                                                  status);

diff --git a/src/systemd/src/libsystemd-network/sd-dhcp6-client.c b/src/systemd/src/libsystemd-network/sd-dhcp6-client.c

index ca03f580e..b82e3f45f 100644

--- a/src/systemd/src/libsystemd-network/sd-dhcp6-client.c

+++ b/src/systemd/src/libsystemd-network/sd-dhcp6-client.c

@@ -828,7 +828,7 @@ static int client_parse_message(

                         break;

                 case SD_DHCP6_OPTION_STATUS_CODE:

-                        status = dhcp6_option_parse_status(option);

+                        status = dhcp6_option_parse_status(option, optlen);

                         if (status) {

                                 log_dhcp6_client(client, "%s Status %s",

                                                  dhcp6_message_type_to_string(message->type),

-- 

2.17.1

From a944785f244e92094eb4379cf12e76f5205037d3 Mon Sep 17 00:00:00 2001

From: Evgeny Vereshchagin <evvers@ya.ru>

Date: Sat, 29 Sep 2018 03:06:10 +0000

Subject: [PATCH 3/9] dhcp6: fix an off-by-one error in

 dhcp6_option_parse_domainname

==14==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60200055fa9c at pc 0x0000005458f1 bp 0x7ffc78940d90 sp 0x7ffc78940d88

READ of size 1 at 0x60200055fa9c thread T0

    #0 0x5458f0 in dhcp6_option_parse_domainname /work/build/../../src/systemd/src/libsystemd-network/dhcp6-option.c:555:29

    #1 0x54706e in dhcp6_lease_set_domains /work/build/../../src/systemd/src/libsystemd-network/sd-dhcp6-lease.c:242:13

    #2 0x53fce0 in client_parse_message /work/build/../../src/systemd/src/libsystemd-network/sd-dhcp6-client.c:984:29

    #3 0x53f3bc in client_receive_advertise /work/build/../../src/systemd/src/libsystemd-network/sd-dhcp6-client.c:1083:13

    #4 0x53d57f in client_receive_message /work/build/../../src/systemd/src/libsystemd-network/sd-dhcp6-client.c:1182:21

    #5 0x7f0f7159deee in source_dispatch /work/build/../../src/systemd/src/libsystemd/sd-event/sd-event.c:3042:21

    #6 0x7f0f7159d431 in sd_event_dispatch /work/build/../../src/systemd/src/libsystemd/sd-event/sd-event.c:3455:21

    #7 0x7f0f7159ea8d in sd_event_run /work/build/../../src/systemd/src/libsystemd/sd-event/sd-event.c:3512:21

    #8 0x531f2b in fuzz_client /work/build/../../src/systemd/src/fuzz/fuzz-dhcp6-client.c:44:9

    #9 0x531bc1 in LLVMFuzzerTestOneInput /work/build/../../src/systemd/src/fuzz/fuzz-dhcp6-client.c:53:9

    #10 0x57bec8 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /src/libfuzzer/FuzzerLoop.cpp:570:15

    #11 0x579d67 in fuzzer::Fuzzer::RunOne(unsigned char const*, unsigned long, bool, fuzzer::InputInfo*, bool*) /src/libfuzzer/FuzzerLoop.cpp:479:3

    #12 0x57dc92 in fuzzer::Fuzzer::MutateAndTestOne() /src/libfuzzer/FuzzerLoop.cpp:707:19

    #13 0x580ca6 in fuzzer::Fuzzer::Loop(std::__1::vector<std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> >, fuzzer::fuzzer_allocator<std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> > > > const&) /src/libfuzzer/FuzzerLoop.cpp:838:5

    #14 0x55e968 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /src/libfuzzer/FuzzerDriver.cpp:764:6

    #15 0x551a1c in main /src/libfuzzer/FuzzerMain.cpp:20:10

    #16 0x7f0f701a082f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)

    #17 0x41e928 in _start (/out/fuzz-dhcp6-client+0x41e928)

https://github.com/systemd/systemd/pull/10200

https://github.com/systemd/systemd/commit/b387d3c1327a3ad2a2509bd3d3491e674392ff21

(cherry picked from commit 7cb7cffc4962245a32e87017bcf264005c043250)

(cherry picked from commit cd3aacefdd0b91741b7b2e7b5ee5baab210addd9)

(cherry picked from commit 5b140a77bc7b01dc002dbf28a7a2507a27a63d7c)

---

 src/systemd/src/libsystemd-network/dhcp6-option.c | 2 +-

 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/systemd/src/libsystemd-network/dhcp6-option.c b/src/systemd/src/libsystemd-network/dhcp6-option.c

index e462b7083..ff1cbf13d 100644

--- a/src/systemd/src/libsystemd-network/dhcp6-option.c

+++ b/src/systemd/src/libsystemd-network/dhcp6-option.c

@@ -566,7 +566,7 @@ int dhcp6_option_parse_domainname(const uint8_t *optval, uint16_t optlen, char *

                                 /* Literal label */

                                 label = (const char *)&optval[pos];

                                 pos += c;

-                                if (pos > optlen)

+                                if (pos >= optlen)

                                         return -EMSGSIZE;

                                 if (!GREEDY_REALLOC(ret, allocated, n + !first + DNS_LABEL_ESCAPED_MAX)) {

-- 

2.17.1

From fc04015063d44a61b85bdf2c2648d9ac9fb4a446 Mon Sep 17 00:00:00 2001

From: Yu Watanabe <watanabe.yu+github@gmail.com>

Date: Thu, 27 Sep 2018 18:04:59 +0900

Subject: [PATCH 4/9] sd-dhcp-lease: fix memleaks

(cherry picked from commit e2975f854831d08a25b4f5eb329b6d04102e115f)

(cherry picked from commit 157094abd83f933fad142758a7d177cfa1a347f7)

(cherry picked from commit 3fd9d11619a5e60d375076fbe13851dd1d3a4a63)

---

 src/systemd/src/libsystemd-network/sd-dhcp-lease.c | 2 ++

 1 file changed, 2 insertions(+)

diff --git a/src/systemd/src/libsystemd-network/sd-dhcp-lease.c b/src/systemd/src/libsystemd-network/sd-dhcp-lease.c

index 33a0796a8..841d07926 100644

--- a/src/systemd/src/libsystemd-network/sd-dhcp-lease.c

+++ b/src/systemd/src/libsystemd-network/sd-dhcp-lease.c

@@ -279,6 +279,8 @@ sd_dhcp_lease *sd_dhcp_lease_unref(sd_dhcp_lease *lease) {

                 free(option);

         }

+        free(lease->root_path);

+        free(lease->timezone);

         free(lease->hostname);

         free(lease->domainname);

         free(lease->dns);

-- 

2.17.1

From ae56f71f5bd4233f335ec4c2a5172b59be3d80ca Mon Sep 17 00:00:00 2001

From: Yu Watanabe <watanabe.yu+github@gmail.com>

Date: Thu, 27 Sep 2018 23:48:51 +0900

Subject: [PATCH 5/9] dhcp6: fix buffer size checking

(cherry picked from commit cb1bdeaf56852275e6b0dd1fba932bb174767f70)

(cherry picked from commit 91fb1673d5217aaf1461998fd2675630f5c265f9)

(cherry picked from commit 15a3c6c692ee0125d4673df42ef8986e9e3d69c7)

---

 src/systemd/src/libsystemd-network/sd-dhcp6-client.c | 4 ++--

 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/src/systemd/src/libsystemd-network/sd-dhcp6-client.c b/src/systemd/src/libsystemd-network/sd-dhcp6-client.c

index b82e3f45f..b65c31171 100644

--- a/src/systemd/src/libsystemd-network/sd-dhcp6-client.c

+++ b/src/systemd/src/libsystemd-network/sd-dhcp6-client.c

@@ -776,8 +776,8 @@ static int client_parse_message(

                 uint8_t *optval;

                 be32_t iaid_lease;

-                if (len < offsetof(DHCP6Option, data) ||

-                    len < offsetof(DHCP6Option, data) + be16toh(option->len))

+                if (len < pos + offsetof(DHCP6Option, data) ||

+                    len < pos + offsetof(DHCP6Option, data) + be16toh(option->len))

                         return -ENOBUFS;

                 optcode = be16toh(option->code);

-- 

2.17.1

From 9babde953073b460d8bcda13329c60a0a74cdc3c Mon Sep 17 00:00:00 2001

From: Yu Watanabe <watanabe.yu+github@gmail.com>

Date: Fri, 19 Oct 2018 03:44:56 +0900

Subject: [PATCH 6/9] sd-dhcp6: fix argument and error handling of

 dhcp6_option_parse_status()

(cherry picked from commit 91c43f3978fa7c8341550b9ca279e460ba7e74e6)

(cherry picked from commit 373cbfc8c6e9591b3c8cc12d58c4b31ac35ab24f)

(cherry picked from commit 0e93fd895daa6f0f578ffa8fc4ed3e0ea85c62e8)

(cherry picked from commit 6ea13fc82523bebaa08cf2ab8404e751a654261f)

---

 src/systemd/src/libsystemd-network/dhcp6-option.c    | 10 ++++++----

 src/systemd/src/libsystemd-network/sd-dhcp6-client.c |  9 +++++----

 2 files changed, 11 insertions(+), 8 deletions(-)

diff --git a/src/systemd/src/libsystemd-network/dhcp6-option.c b/src/systemd/src/libsystemd-network/dhcp6-option.c

index ff1cbf13d..cfddefcb5 100644

--- a/src/systemd/src/libsystemd-network/dhcp6-option.c

+++ b/src/systemd/src/libsystemd-network/dhcp6-option.c

@@ -465,13 +465,15 @@ int dhcp6_option_parse_ia(DHCP6Option *iaoption, DHCP6IA *ia) {

                 case SD_DHCP6_OPTION_STATUS_CODE:

-                        status = dhcp6_option_parse_status(option, optlen);

-                        if (status) {

+                        status = dhcp6_option_parse_status(option, optlen + sizeof(DHCP6Option));

+                        if (status < 0) {

+                                r = status;

+                                goto error;

+                        }

+                        if (status > 0) {

                                 log_dhcp6_client(client, "IA status %d",

                                                  status);

-                                dhcp6_lease_free_ia(ia);

-

                                 r = -EINVAL;

                                 goto error;

                         }

diff --git a/src/systemd/src/libsystemd-network/sd-dhcp6-client.c b/src/systemd/src/libsystemd-network/sd-dhcp6-client.c

index b65c31171..15c4f445f 100644

--- a/src/systemd/src/libsystemd-network/sd-dhcp6-client.c

+++ b/src/systemd/src/libsystemd-network/sd-dhcp6-client.c

@@ -828,13 +828,14 @@ static int client_parse_message(

                         break;

                 case SD_DHCP6_OPTION_STATUS_CODE:

-                        status = dhcp6_option_parse_status(option, optlen);

-                        if (status) {

+                        status = dhcp6_option_parse_status(option, optlen + sizeof(DHCP6Option));

+                        if (status < 0)

+                                return status;

+

+                        if (status > 0) {

                                 log_dhcp6_client(client, "%s Status %s",

                                                  dhcp6_message_type_to_string(message->type),

                                                  dhcp6_message_status_to_string(status));

-                                dhcp6_lease_free_ia(&lease->ia);

-                                dhcp6_lease_free_ia(&lease->pd);

                                 return -EINVAL;

                         }

-- 

2.17.1

From 19b82104da425efdb9ad0207ccabf5a1a091b81a Mon Sep 17 00:00:00 2001

From: Yu Watanabe <watanabe.yu+github@gmail.com>

Date: Fri, 19 Oct 2018 03:42:10 +0900

Subject: [PATCH 7/9] sd-dhcp6: make dhcp6_option_parse_domainname() not store

 empty domain

This improves performance of fuzzer.

C.f. oss-fuzz#11019.

(cherry picked from commit 3c72b6ed4252e7ff5f7704bfe44557ec197b47fa)

(cherry picked from commit 50403cccee28c7dcd54b138a0d3b3f69ea0204fe)

(cherry picked from commit f11f5abb1a8b96b553d2d156f8b5cf440695c04d)

(cherry picked from commit c836279fca80fb22ca7ef02acaa5b987fee61123)

---

 .../src/libsystemd-network/dhcp6-option.c     | 66 ++++++++-----------

 1 file changed, 29 insertions(+), 37 deletions(-)

diff --git a/src/systemd/src/libsystemd-network/dhcp6-option.c b/src/systemd/src/libsystemd-network/dhcp6-option.c

index cfddefcb5..be5c22237 100644

--- a/src/systemd/src/libsystemd-network/dhcp6-option.c

+++ b/src/systemd/src/libsystemd-network/dhcp6-option.c

@@ -555,6 +555,7 @@ int dhcp6_option_parse_domainname(const uint8_t *optval, uint16_t optlen, char *

                 bool first = true;

                 for (;;) {

+                        const char *label;

                         uint8_t c;

                         c = optval[pos++];

@@ -562,47 +563,41 @@ int dhcp6_option_parse_domainname(const uint8_t *optval, uint16_t optlen, char *

                         if (c == 0)

                                 /* End of name */

                                 break;

-                        else if (c <= 63) {

-                                const char *label;

-

-                                /* Literal label */

-                                label = (const char *)&optval[pos];

-                                pos += c;

-                                if (pos >= optlen)

-                                        return -EMSGSIZE;

-

-                                if (!GREEDY_REALLOC(ret, allocated, n + !first + DNS_LABEL_ESCAPED_MAX)) {

-                                        r = -ENOMEM;

-                                        goto fail;

-                                }

-

-                                if (first)

-                                        first = false;

-                                else

-                                        ret[n++] = '.';

-

-                                r = dns_label_escape(label, c, ret + n, DNS_LABEL_ESCAPED_MAX);

-                                if (r < 0)

-                                        goto fail;

-

-                                n += r;

-                                continue;

-                        } else {

-                                r = -EBADMSG;

-                                goto fail;

-                        }

-                }

+                        if (c > 63)

+                                return -EBADMSG;

+

+                        /* Literal label */

+                        label = (const char *)&optval[pos];

+                        pos += c;

+                        if (pos >= optlen)

+                                return -EMSGSIZE;

+

+                        if (!GREEDY_REALLOC(ret, allocated, n + !first + DNS_LABEL_ESCAPED_MAX))

+                                return -ENOMEM;

+

+                        if (first)

+                                first = false;

+                        else

+                                ret[n++] = '.';

+

+                        r = dns_label_escape(label, c, ret + n, DNS_LABEL_ESCAPED_MAX);

+                        if (r < 0)

+                                return r;

-                if (!GREEDY_REALLOC(ret, allocated, n + 1)) {

-                        r = -ENOMEM;

-                        goto fail;

+                        n += r;

                 }

+                if (n == 0)

+                        continue;

+

+                if (!GREEDY_REALLOC(ret, allocated, n + 1))

+                        return -ENOMEM;

+

                 ret[n] = 0;

                 r = strv_extend(&names, ret);

                 if (r < 0)

-                        goto fail;

+                        return r;

                 idx++;

         }

@@ -610,7 +605,4 @@ int dhcp6_option_parse_domainname(const uint8_t *optval, uint16_t optlen, char *

         *str_arr = TAKE_PTR(names);

         return idx;

-

-fail:

-        return r;

 }

-- 

2.17.1

From 7dd0b1ae8cc44a6e3c91dc921a278f939d045f0d Mon Sep 17 00:00:00 2001

From: Li Song <song.li@honeywell.com>

Date: Fri, 19 Oct 2018 13:41:51 -0400

Subject: [PATCH 8/9] sd-dhcp: remove unreachable route after rebinding return

 NAK

(cherry picked from commit cc3981b1272b9ce37e7d734a7b2f42e84acac535)

(cherry picked from commit 915c2f675a23b2ae16d292d1ac570706f76b384d)

(cherry picked from commit cb77290a696dce924e2a993690634986ac035490)

(cherry picked from commit f211b140a5861ddedc2424946e3ab07d3b642b5f)

---

 src/systemd/src/libsystemd-network/sd-dhcp-client.c | 2 ++

 1 file changed, 2 insertions(+)

diff --git a/src/systemd/src/libsystemd-network/sd-dhcp-client.c b/src/systemd/src/libsystemd-network/sd-dhcp-client.c

index c2f81e1c4..c28025410 100644

--- a/src/systemd/src/libsystemd-network/sd-dhcp-client.c

+++ b/src/systemd/src/libsystemd-network/sd-dhcp-client.c

@@ -1649,6 +1649,8 @@ static int client_handle_message(sd_dhcp_client *client, DHCPMessage *message, i

                         client->timeout_resend =

                                 sd_event_source_unref(client->timeout_resend);

+                        client_notify(client, SD_DHCP_CLIENT_EVENT_EXPIRED);

+

                         r = client_initialize(client);

                         if (r < 0)

                                 goto error;

-- 

2.17.1

From 5a89e393279e8d0c8c2943b4cce99b91c5ebe903 Mon Sep 17 00:00:00 2001

From: Lennart Poettering <lennart@poettering.net>

Date: Fri, 19 Oct 2018 12:12:33 +0200

Subject: [PATCH 9/9] dhcp6: make sure we have enough space for the DHCP6

 option header

Fixes a vulnerability originally discovered by Felix Wilhelm from

Google.

CVE-2018-15688

LP: #1795921

https://bugzilla.redhat.com/show_bug.cgi?id=1639067

(cherry picked from commit 4dac5eaba4e419b29c97da38a8b1f82336c2c892)

(cherry picked from commit 01ca2053bbea09f35b958c8cc7631e15469acb79)

(cherry picked from commit fc230dca139142f409d7bac99dbfabe9b004e2fb)

(cherry picked from commit cc1e5a7f5731f223d1eb8473fa0eecbedfc0ae5f)

---

 src/systemd/src/libsystemd-network/dhcp6-option.c | 2 +-

 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/systemd/src/libsystemd-network/dhcp6-option.c b/src/systemd/src/libsystemd-network/dhcp6-option.c

index be5c22237..22970443d 100644

--- a/src/systemd/src/libsystemd-network/dhcp6-option.c

+++ b/src/systemd/src/libsystemd-network/dhcp6-option.c

@@ -105,7 +105,7 @@ int dhcp6_option_append_ia(uint8_t **buf, size_t *buflen, DHCP6IA *ia) {

                 return -EINVAL;

         }

-        if (*buflen < len)

+        if (*buflen < offsetof(DHCP6Option, data) + len)

                 return -ENOBUFS;

         ia_hdr = *buf;

-- 

2.17.1