rpms / freeradius

Clone
Source Code
GIT

Blame SOURCES/freeradius-FR-GV-304-check-for-option-overflowing-the-packet.patch

c4 c5 c5-plus c6 c6-plus c7 c7-alt c7-beta c8-beta-stream-3.0 c8-stream-3.0 c8s-stream-3.0 c9 c9-beta
  1.   c7
  2.   SOURCES
  3.   freeradius-FR-GV-304-check-for-option-overflowing-the-packet.patch
Blob History Raw
16502d 
From 4929ae5d13a2750f83cd1a7fd0191b8fca4d32d0 Mon Sep 17 00:00:00 2001
16502d 
From: "Alan T. DeKok" <aland@freeradius.org>
16502d 
Date: Mon, 3 Jul 2017 15:42:35 -0400
16502d 
Subject: [PATCH] FR-GV-304 - check for option overflowing the packet
16502d
16502d 
---
16502d 
 src/modules/proto_dhcp/dhcp.c | 18 ++++++++++++++++++
16502d 
 1 file changed, 18 insertions(+)
16502d
16502d 
diff --git a/src/modules/proto_dhcp/dhcp.c b/src/modules/proto_dhcp/dhcp.c
16502d 
index dbfe81747..5fd922d03 100644
16502d 
--- a/src/modules/proto_dhcp/dhcp.c
16502d 
+++ b/src/modules/proto_dhcp/dhcp.c
16502d 
@@ -629,6 +629,24 @@ static int fr_dhcp_decode_suboption(TALLOC_CTX *ctx, VALUE_PAIR **tlv, uint8_t c
16502d 
 		uint32_t	attr;
16502d
16502d 
 		/*
16502d 
+		 *	Not enough room for the option header, it's a
16502d 
+		 *	bad packet.
16502d 
+		 */
16502d 
+		if ((p + 2) > (data + len)) {
16502d 
+			fr_pair_list_free(&head;;
16502d 
+			return -1;
16502d 
+		}
16502d 
+
16502d 
+		/*
16502d 
+		 *	Not enough room for the option header + data,
16502d 
+		 *	it's a bad packet.
16502d 
+		 */
16502d 
+		if ((p + 2 + p[1]) > (data + len)) {
16502d 
+			fr_pair_list_free(&head;;
16502d 
+			return -1;
16502d 
+		}
16502d 
+
16502d 
+		/*
16502d 
 		 *	The initial OID string looks like:
16502d 
 		 *	<iana>.0
16502d 
 		 *
16502d 
--
16502d 
2.13.2
16502d

Powered by Pagure 5.14.1

SSH Hostkey/Fingerprint | Documentation