|
 |
0c8692 |
From bdb61c66cf0594fef26c6fc790092815c2d09721 Mon Sep 17 00:00:00 2001
|
|
|
0c8692 |
From: Phil Sutter <phil@nwl.cc>
|
|
|
0c8692 |
Date: Tue, 12 Feb 2019 17:31:31 +0100
|
|
|
0c8692 |
Subject: [PATCH] conntrackd: helpers: dhcpv6: Fix potential array overrun
|
|
|
0c8692 |
|
|
|
0c8692 |
The value dhcpv6_msg_type points at is used as index to dhcpv6_timeouts
|
|
|
0c8692 |
array, so upper boundary check has to treat a value of
|
|
|
0c8692 |
ARRAY_SIZE(dhcpv6_timeouts) as invalid.
|
|
|
0c8692 |
|
|
|
0c8692 |
Fixes: 36118bfc4901b ("conntrackd: helpers: add DHCPv6 helper")
|
|
|
0c8692 |
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
|
|
0c8692 |
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
0c8692 |
(cherry picked from commit 764a435c26e29900921ad5cdbd160a466c3c7416)
|
|
|
0c8692 |
---
|
|
|
0c8692 |
src/helpers/dhcpv6.c | 2 +-
|
|
|
0c8692 |
1 file changed, 1 insertion(+), 1 deletion(-)
|
|
|
0c8692 |
|
|
|
0c8692 |
diff --git a/src/helpers/dhcpv6.c b/src/helpers/dhcpv6.c
|
|
|
0c8692 |
index 73632ec181a95..f87b6cebfe157 100644
|
|
|
0c8692 |
--- a/src/helpers/dhcpv6.c
|
|
|
0c8692 |
+++ b/src/helpers/dhcpv6.c
|
|
|
0c8692 |
@@ -72,7 +72,7 @@ dhcpv6_helper_cb(struct pkt_buff *pkt, uint32_t protoff,
|
|
|
0c8692 |
return NF_ACCEPT;
|
|
|
0c8692 |
|
|
|
0c8692 |
dhcpv6_msg_type = pktb_network_header(pkt) + protoff + sizeof(struct udphdr);
|
|
|
0c8692 |
- if (*dhcpv6_msg_type > ARRAY_SIZE(dhcpv6_timeouts)) {
|
|
|
0c8692 |
+ if (*dhcpv6_msg_type >= ARRAY_SIZE(dhcpv6_timeouts)) {
|
|
|
0c8692 |
printf("Dropping DHCPv6 message with bad type %u\n",
|
|
|
0c8692 |
*dhcpv6_msg_type);
|
|
|
0c8692 |
return NF_DROP;
|
|
|
0c8692 |
--
|
|
|
0c8692 |
2.21.0
|
|
|
0c8692 |
|