Pi-Hole/dnsmasq
1
0
Fork 0
mirror of https://github.com/pi-hole/dnsmasq.git synced 2025-12-19 10:18:25 +00:00
Code Issues Packages Projects Releases Wiki Activity

Security fix, CVE-2017-14493, DHCPv6 - Stack buffer overflow.

Browse Source 
Fix stack overflow in DHCPv6 code. An attacker who can send
a DHCPv6 request to dnsmasq can overflow the stack frame and
crash or control dnsmasq.
This commit is contained in:
Simon Kelley
2017-09-25 18:52:50 +01:00
parent 24036ea507
commit 3d4ff1ba84
2 changed files with 11 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
CHANGELOG
View File

@@ -43,6 +43,14 @@ version 2.78
Credit to Felix Wilhelm, Fermin J. Serna, Gabriel Campana Credit to Felix Wilhelm, Fermin J. Serna, Gabriel Campana
and Kevin Hamacher of the Google Security Team for and Kevin Hamacher of the Google Security Team for
finding this. finding this.
Fix stack overflow in DHCPv6 code. An attacker who can send
a DHCPv6 request to dnsmasq can overflow the stack frame and
crash or control dnsmasq.
CVE-2017-14493 applies.
Credit to Felix Wilhelm, Fermin J. Serna, Gabriel Campana
and Kevin Hamacher of the Google Security Team for
finding this.
version 2.77 version 2.77

3
src/rfc3315.c
View File

@@ -206,6 +206,9 @@ static int dhcp6_maybe_relay(struct state *state, void *inbuff, size_t sz,
/* RFC-6939 */ /* RFC-6939 */
if ((opt = opt6_find(opts, end, OPTION6_CLIENT_MAC, 3))) if ((opt = opt6_find(opts, end, OPTION6_CLIENT_MAC, 3)))
{ {
if (opt6_len(opt) - 2 > DHCP_CHADDR_MAX) {
return 0;
}
state->mac_type = opt6_uint(opt, 0, 2); state->mac_type = opt6_uint(opt, 0, 2);
state->mac_len = opt6_len(opt) - 2; state->mac_len = opt6_len(opt) - 2;
memcpy(&state->mac[0], opt6_ptr(opt, 2), state->mac_len); memcpy(&state->mac[0], opt6_ptr(opt, 2), state->mac_len);