rpms / freeradius

Clone
Source Code
GIT

Blame SOURCES/freeradius-FR-GV-304-check-for-option-overflowing-the-packet.patch

c4 c5 c5-plus c6 c6-plus c7 c7-alt c7-beta c8-beta-stream-3.0 c8-stream-3.0 c8s-stream-3.0 c9 c9-beta
  1.   c7-beta
  2.   SOURCES
  3.   freeradius-FR-GV-304-check-for-option-overflowing-the-packet.patch
Blob History Raw
5fa452 
From 4929ae5d13a2750f83cd1a7fd0191b8fca4d32d0 Mon Sep 17 00:00:00 2001
5fa452 
From: "Alan T. DeKok" <aland@freeradius.org>
5fa452 
Date: Mon, 3 Jul 2017 15:42:35 -0400
5fa452 
Subject: [PATCH] FR-GV-304 - check for option overflowing the packet
5fa452
5fa452 
---
5fa452 
 src/modules/proto_dhcp/dhcp.c | 18 ++++++++++++++++++
5fa452 
 1 file changed, 18 insertions(+)
5fa452
5fa452 
diff --git a/src/modules/proto_dhcp/dhcp.c b/src/modules/proto_dhcp/dhcp.c
5fa452 
index dbfe81747..5fd922d03 100644
5fa452 
--- a/src/modules/proto_dhcp/dhcp.c
5fa452 
+++ b/src/modules/proto_dhcp/dhcp.c
5fa452 
@@ -629,6 +629,24 @@ static int fr_dhcp_decode_suboption(TALLOC_CTX *ctx, VALUE_PAIR **tlv, uint8_t c
5fa452 
 		uint32_t	attr;
5fa452
5fa452 
 		/*
5fa452 
+		 *	Not enough room for the option header, it's a
5fa452 
+		 *	bad packet.
5fa452 
+		 */
5fa452 
+		if ((p + 2) > (data + len)) {
5fa452 
+			fr_pair_list_free(&head;;
5fa452 
+			return -1;
5fa452 
+		}
5fa452 
+
5fa452 
+		/*
5fa452 
+		 *	Not enough room for the option header + data,
5fa452 
+		 *	it's a bad packet.
5fa452 
+		 */
5fa452 
+		if ((p + 2 + p[1]) > (data + len)) {
5fa452 
+			fr_pair_list_free(&head;;
5fa452 
+			return -1;
5fa452 
+		}
5fa452 
+
5fa452 
+		/*
5fa452 
 		 *	The initial OID string looks like:
5fa452 
 		 *	<iana>.0
5fa452 
 		 *
5fa452 
--
5fa452 
2.13.2
5fa452

Powered by Pagure 5.14.1

SSH Hostkey/Fingerprint | Documentation