|
Zbigniew Jędrzejewski-Szmek |
62fe94 |
From d182960ae974a0074010a058d0d909846a2f3f79 Mon Sep 17 00:00:00 2001
|
|
Zbigniew Jędrzejewski-Szmek |
62fe94 |
From: Patrik Flykt <patrik.flykt@linux.intel.com>
|
|
Zbigniew Jędrzejewski-Szmek |
62fe94 |
Date: Fri, 29 Aug 2014 09:20:46 +0300
|
|
Zbigniew Jędrzejewski-Szmek |
62fe94 |
Subject: [PATCH] test-dhcp6-client: Fix option length
|
|
Zbigniew Jędrzejewski-Szmek |
62fe94 |
|
|
Zbigniew Jędrzejewski-Szmek |
62fe94 |
The whole DHCPv6 test message length was incorrectly used as the length
|
|
Zbigniew Jędrzejewski-Szmek |
62fe94 |
of DHCPv6 options causing the following bad memory access:
|
|
Zbigniew Jędrzejewski-Szmek |
62fe94 |
|
|
Zbigniew Jędrzejewski-Szmek |
62fe94 |
$ build/test-dhcp6-client
|
|
Zbigniew Jędrzejewski-Szmek |
62fe94 |
Assertion 'interface_index >= -1' failed at ../src/libsystemd-network/sd-dhcp6-client.c:129, function sd_dhcp6_client_set_index(). Ignoring.
|
|
Zbigniew Jędrzejewski-Szmek |
62fe94 |
=================================================================
|
|
Zbigniew Jędrzejewski-Szmek |
62fe94 |
==29135==ERROR: AddressSanitizer: global-buffer-overflow on address 0x7fe204aa9148 at pc 0x7fe204a5958f bp 0x7fff3e47d470 sp 0x7fff3e47d460
|
|
Zbigniew Jędrzejewski-Szmek |
62fe94 |
READ of size 1 at 0x7fe204aa9148 thread T0
|
|
Zbigniew Jędrzejewski-Szmek |
62fe94 |
#0 0x7fe204a5958e in option_parse_hdr ../src/libsystemd-network/dhcp6-option.c:145
|
|
Zbigniew Jędrzejewski-Szmek |
62fe94 |
#1 0x7fe204a59884 in dhcp6_option_parse ../src/libsystemd-network/dhcp6-option.c:165
|
|
Zbigniew Jędrzejewski-Szmek |
62fe94 |
#2 0x7fe204a4eb9c in test_advertise_option ../src/libsystemd-network/test-dhcp6-client.c:227
|
|
Zbigniew Jędrzejewski-Szmek |
62fe94 |
#3 0x7fe204a51c58 in main ../src/libsystemd-network/test-dhcp6-client.c:584
|
|
Zbigniew Jędrzejewski-Szmek |
62fe94 |
#4 0x7fe2031590df in __libc_start_main (/lib64/libc.so.6+0x200df)
|
|
Zbigniew Jędrzejewski-Szmek |
62fe94 |
#5 0x7fe204a4cc5b (/home/test/systemd/build/test-dhcp6-client+0x25c5b)
|
|
Zbigniew Jędrzejewski-Szmek |
62fe94 |
|
|
Zbigniew Jędrzejewski-Szmek |
62fe94 |
0x7fe204aa9148 is located 2 bytes to the right of global variable 'msg_advertise' from '../src/libsystemd-network/test-dhcp6-client.c' (0x7fe204aa9080) of size 198
|
|
Zbigniew Jędrzejewski-Szmek |
62fe94 |
0x7fe204aa9148 is located 56 bytes to the left of global variable 'msg_reply' from '../src/libsystemd-network/test-dhcp6-client.c' (0x7fe204aa9180) of size 173
|
|
Zbigniew Jędrzejewski-Szmek |
62fe94 |
SUMMARY: AddressSanitizer: global-buffer-overflow ../src/libsystemd-network/dhcp6-option.c:145 option_parse_hdr
|
|
Zbigniew Jędrzejewski-Szmek |
62fe94 |
---
|
|
Zbigniew Jędrzejewski-Szmek |
62fe94 |
src/libsystemd-network/test-dhcp6-client.c | 2 +-
|
|
Zbigniew Jędrzejewski-Szmek |
62fe94 |
1 file changed, 1 insertion(+), 1 deletion(-)
|
|
Zbigniew Jędrzejewski-Szmek |
62fe94 |
|
|
Zbigniew Jędrzejewski-Szmek |
62fe94 |
diff --git a/src/libsystemd-network/test-dhcp6-client.c b/src/libsystemd-network/test-dhcp6-client.c
|
|
Zbigniew Jędrzejewski-Szmek |
62fe94 |
index 96c68e1feb..259db33bcd 100644
|
|
Zbigniew Jędrzejewski-Szmek |
62fe94 |
--- a/src/libsystemd-network/test-dhcp6-client.c
|
|
Zbigniew Jędrzejewski-Szmek |
62fe94 |
+++ b/src/libsystemd-network/test-dhcp6-client.c
|
|
Zbigniew Jędrzejewski-Szmek |
62fe94 |
@@ -207,7 +207,7 @@ static int test_advertise_option(sd_event *e) {
|
|
Zbigniew Jędrzejewski-Szmek |
62fe94 |
DHCP6Message *advertise = (DHCP6Message *)msg_advertise;
|
|
Zbigniew Jędrzejewski-Szmek |
62fe94 |
uint8_t *optval, *opt = &msg_advertise[sizeof(DHCP6Message)];
|
|
Zbigniew Jędrzejewski-Szmek |
62fe94 |
uint16_t optcode;
|
|
Zbigniew Jędrzejewski-Szmek |
62fe94 |
- size_t optlen, len = sizeof(msg_advertise);
|
|
Zbigniew Jędrzejewski-Szmek |
62fe94 |
+ size_t optlen, len = sizeof(msg_advertise) - sizeof(DHCP6Message);
|
|
Zbigniew Jędrzejewski-Szmek |
62fe94 |
be32_t val;
|
|
Zbigniew Jędrzejewski-Szmek |
62fe94 |
uint8_t preference = 255;
|
|
Zbigniew Jędrzejewski-Szmek |
62fe94 |
struct in6_addr addr;
|