| From 01ca2053bbea09f35b958c8cc7631e15469acb79 Mon Sep 17 00:00:00 2001 |
| From: Lennart Poettering <lennart@poettering.net> |
| Date: Fri, 19 Oct 2018 12:12:33 +0200 |
| Subject: dhcp6: make sure we have enough space for the DHCP6 option header |
| |
| Fixes a vulnerability originally discovered by Felix Wilhelm from |
| Google. |
| |
| CVE-2018-15688 |
| LP: #1795921 |
| https://bugzilla.redhat.com/show_bug.cgi?id=1639067 |
| |
| (cherry picked from commit 4dac5eaba4e419b29c97da38a8b1f82336c2c892) |
| |
| Patch downloaded from upstream commit: |
| https://cgit.freedesktop.org/NetworkManager/NetworkManager/commit/?id=01ca2053bbea09f35b958c8cc7631e15469acb79 |
| |
| Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de> |
| --- |
| src/systemd/src/libsystemd-network/dhcp6-option.c | 2 +- |
| 1 file changed, 1 insertion(+), 1 deletion(-) |
| |
| diff --git a/src/systemd/src/libsystemd-network/dhcp6-option.c b/src/systemd/src/libsystemd-network/dhcp6-option.c |
| index d178fe2..9027c14 100644 |
| --- a/src/systemd/src/libsystemd-network/dhcp6-option.c |
| +++ b/src/systemd/src/libsystemd-network/dhcp6-option.c |
| @@ -108,7 +108,7 @@ int dhcp6_option_append_ia(uint8_t **buf, size_t *buflen, const DHCP6IA *ia) { |
| return -EINVAL; |
| } |
| |
| - if (*buflen < len) |
| + if (*buflen < offsetof(DHCP6Option, data) + len) |
| return -ENOBUFS; |
| |
| ia_hdr = *buf; |
| -- |
| cgit v1.1 |
| |
