Pi-Hole/dnsmasq
1
0
Fork 0
mirror of https://github.com/pi-hole/dnsmasq.git synced 2025-12-19 02:08:24 +00:00
Code Issues Packages Projects Releases Wiki Activity

Merge OOB memory read fix. CVE-2025-54318

Browse Source
This commit is contained in:
Simon Kelley
2025-12-06 13:58:36 +00:00
parent 05464a173b 052aa0fcf3
commit 629107bd6d
1 changed files with 10 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

12
src/rfc3315.c
View File

@@ -1596,9 +1596,14 @@ static void get_context_tag(struct state *state, struct dhcp_context *context)
static int check_ia(struct state *state, void *opt, void **endp, void **ia_option) static int check_ia(struct state *state, void *opt, void **endp, void **ia_option)
{ {
state->ia_type = opt6_type(opt);
*ia_option = NULL; *ia_option = NULL;
/* must be a minimal option to check without stepping outside received packet. */
if (opt6_ptr(opt, 4) > state->end)
return 0;
state->ia_type = opt6_type(opt);
if (state->ia_type != OPTION6_IA_NA && state->ia_type != OPTION6_IA_TA) if (state->ia_type != OPTION6_IA_NA && state->ia_type != OPTION6_IA_TA)
return 0; return 0;
@@ -1608,7 +1613,10 @@ static int check_ia(struct state *state, void *opt, void **endp, void **ia_optio
if (state->ia_type == OPTION6_IA_TA && opt6_len(opt) < 4) if (state->ia_type == OPTION6_IA_TA && opt6_len(opt) < 4)
return 0; return 0;
*endp = opt6_ptr(opt, opt6_len(opt)); /* Check we don't overflow the received packet. */
if ((*endp = opt6_ptr(opt, opt6_len(opt))) > state->end)
return 0;
state->iaid = opt6_uint(opt, 0, 4); state->iaid = opt6_uint(opt, 0, 4);
*ia_option = opt6_find(opt6_ptr(opt, state->ia_type == OPTION6_IA_NA ? 12 : 4), *endp, OPTION6_IAADDR, 24); *ia_option = opt6_find(opt6_ptr(opt, state->ia_type == OPTION6_IA_NA ? 12 : 4), *endp, OPTION6_IAADDR, 24);