From 64383aae90fe4a1c1b5c4e4098e924c0e2623471 Mon Sep 17 00:00:00 2001 From: Jan Synacek Date: Thu, 1 Nov 2018 13:11:11 +0100 Subject: [PATCH] dhcp6: make sure we have enough space for the DHCP6 option header Fixes a vulnerability originally discovered by Felix Wilhelm from Google. (cherry picked from commit 01ca2053bbea09f35b958c8cc7631e15469acb79) Resolves: CVE-2018-15688 --- src/libsystemd-network/dhcp6-option.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/libsystemd-network/dhcp6-option.c b/src/libsystemd-network/dhcp6-option.c index ea863f45e..649bbea30 100644 --- a/src/libsystemd-network/dhcp6-option.c +++ b/src/libsystemd-network/dhcp6-option.c @@ -100,7 +100,7 @@ int dhcp6_option_append_ia(uint8_t **buf, size_t *buflen, DHCP6IA *ia) { return -EINVAL; } - if (*buflen < len) + if (*buflen < offsetof(DHCP6Option, data) + len) return -ENOBUFS; ia_hdr = *buf;