You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
29 lines
1001 B
29 lines
1001 B
5 years ago
|
From 64383aae90fe4a1c1b5c4e4098e924c0e2623471 Mon Sep 17 00:00:00 2001
|
||
|
From: Jan Synacek <jsynacek@redhat.com>
|
||
|
Date: Thu, 1 Nov 2018 13:11:11 +0100
|
||
|
Subject: [PATCH] dhcp6: make sure we have enough space for the DHCP6 option
|
||
|
header
|
||
|
|
||
|
Fixes a vulnerability originally discovered by Felix Wilhelm from Google.
|
||
|
|
||
|
(cherry picked from commit 01ca2053bbea09f35b958c8cc7631e15469acb79)
|
||
|
|
||
|
Resolves: CVE-2018-15688
|
||
|
---
|
||
|
src/libsystemd-network/dhcp6-option.c | 2 +-
|
||
|
1 file changed, 1 insertion(+), 1 deletion(-)
|
||
|
|
||
|
diff --git a/src/libsystemd-network/dhcp6-option.c b/src/libsystemd-network/dhcp6-option.c
|
||
|
index ea863f45e4..649bbea304 100644
|
||
|
--- a/src/libsystemd-network/dhcp6-option.c
|
||
|
+++ b/src/libsystemd-network/dhcp6-option.c
|
||
|
@@ -100,7 +100,7 @@ int dhcp6_option_append_ia(uint8_t **buf, size_t *buflen, DHCP6IA *ia) {
|
||
|
return -EINVAL;
|
||
|
}
|
||
|
|
||
|
- if (*buflen < len)
|
||
|
+ if (*buflen < offsetof(DHCP6Option, data) + len)
|
||
|
return -ENOBUFS;
|
||
|
|
||
|
ia_hdr = *buf;
|