projects
/
freeradius.git
/ commitdiff
commit
grep
author
committer
pickaxe
?
search:
re
summary
|
shortlog
|
log
|
commit
| commitdiff |
tree
raw
|
patch
| inline |
side by side
(parent:
21e2e95
)
FR-GV-304 - check for option overflowing the packet
author
Alan T. DeKok
<aland@freeradius.org>
Mon, 3 Jul 2017 19:42:35 +0000
(15:42 -0400)
committer
Alan T. DeKok
<aland@freeradius.org>
Mon, 17 Jul 2017 12:36:24 +0000
(08:36 -0400)
src/modules/proto_dhcp/dhcp.c
patch
|
blob
|
history
diff --git
a/src/modules/proto_dhcp/dhcp.c
b/src/modules/proto_dhcp/dhcp.c
index
dbfe817
..
5fd922d
100644
(file)
--- a/
src/modules/proto_dhcp/dhcp.c
+++ b/
src/modules/proto_dhcp/dhcp.c
@@
-629,6
+629,24
@@
static int fr_dhcp_decode_suboption(TALLOC_CTX *ctx, VALUE_PAIR **tlv, uint8_t c
uint32_t attr;
/*
+ * Not enough room for the option header, it's a
+ * bad packet.
+ */
+ if ((p + 2) > (data + len)) {
+ fr_pair_list_free(&head);
+ return -1;
+ }
+
+ /*
+ * Not enough room for the option header + data,
+ * it's a bad packet.
+ */
+ if ((p + 2 + p[1]) > (data + len)) {
+ fr_pair_list_free(&head);
+ return -1;
+ }
+
+ /*
* The initial OID string looks like:
* <iana>.0
*