Pi-Hole/dnsmasq
1
0
Fork 0
mirror of https://github.com/pi-hole/dnsmasq.git synced 2025-12-19 10:18:25 +00:00
Code Issues Packages Projects Releases Wiki Activity

Fix bounds checking in check_ia()

Browse Source 
A malformed DHCP request can cause out-bounds memory reads, and probably SEGV.
This commit is contained in:
Simon Kelley
2025-07-05 18:11:34 +01:00
parent f74b74e521
commit 052aa0fcf3
1 changed files with 10 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

12
src/rfc3315.c
View File

@@ -1593,9 +1593,14 @@ static void get_context_tag(struct state *state, struct dhcp_context *context)
static int check_ia(struct state *state, void *opt, void **endp, void **ia_option)
{
state->ia_type = opt6_type(opt);
*ia_option = NULL;
/* must be a minimal option to check without stepping outside received packet. */
if (opt6_ptr(opt, 4) > state->end)
return 0;
state->ia_type = opt6_type(opt);
if (state->ia_type != OPTION6_IA_NA && state->ia_type != OPTION6_IA_TA)
return 0;
@@ -1605,7 +1610,10 @@ static int check_ia(struct state *state, void *opt, void **endp, void **ia_optio
if (state->ia_type == OPTION6_IA_TA && opt6_len(opt) < 4)
return 0;
*endp = opt6_ptr(opt, opt6_len(opt));
/* Check we don't overflow the received packet. */
if ((*endp = opt6_ptr(opt, opt6_len(opt))) > state->end)
return 0;
state->iaid = opt6_uint(opt, 0, 4);
*ia_option = opt6_find(opt6_ptr(opt, state->ia_type == OPTION6_IA_NA ? 12 : 4), *endp, OPTION6_IAADDR, 24);