From 3d4ff1ba8419546490b464418223132529514033 Mon Sep 17 00:00:00 2001 From: Simon Kelley Date: Mon, 25 Sep 2017 18:52:50 +0100 Subject: [PATCH] Security fix, CVE-2017-14493, DHCPv6 - Stack buffer overflow. Fix stack overflow in DHCPv6 code. An attacker who can send a DHCPv6 request to dnsmasq can overflow the stack frame and crash or control dnsmasq. --- CHANGELOG | 8 ++++++++ src/rfc3315.c | 3 +++ 2 files changed, 11 insertions(+) diff --git a/CHANGELOG b/CHANGELOG index df6c157..c48378f 100644 --- a/CHANGELOG +++ b/CHANGELOG @@ -43,6 +43,14 @@ version 2.78 Credit to Felix Wilhelm, Fermin J. Serna, Gabriel Campana and Kevin Hamacher of the Google Security Team for finding this. + + Fix stack overflow in DHCPv6 code. An attacker who can send + a DHCPv6 request to dnsmasq can overflow the stack frame and + crash or control dnsmasq. + CVE-2017-14493 applies. + Credit to Felix Wilhelm, Fermin J. Serna, Gabriel Campana + and Kevin Hamacher of the Google Security Team for + finding this. version 2.77 diff --git a/src/rfc3315.c b/src/rfc3315.c index 1687931..920907c 100644 --- a/src/rfc3315.c +++ b/src/rfc3315.c @@ -206,6 +206,9 @@ static int dhcp6_maybe_relay(struct state *state, void *inbuff, size_t sz, /* RFC-6939 */ if ((opt = opt6_find(opts, end, OPTION6_CLIENT_MAC, 3))) { + if (opt6_len(opt) - 2 > DHCP_CHADDR_MAX) { + return 0; + } state->mac_type = opt6_uint(opt, 0, 2); state->mac_len = opt6_len(opt) - 2; memcpy(&state->mac[0], opt6_ptr(opt, 2), state->mac_len);