dhcpcd-discuss

Home Other Lists Thread Index Date Index Search
Thread Prev Thread Next Date Prev Date Next Thread Index Date Index

Re: Backporting two dchpcd security patches to 6.0.5

Chris Lamb

Fri May 17 07:37:59 2019
Dear Roy,

Thanks again for your input.

> >> It is vulnerable because it looks at p[1].
> >> At this point we've not checked option length OR if it's inside
> >> the buffer.
> > 
> > 
> > Getcha, so something like:
> > 
> >   			op = p + 1;
> >   			bl += ol;
> >   		}
> > +		if (p + l > e) {
> > +			errno = EINVAL;
> > +			return NULL;
> > +		}
> 
> You don't have the variable l at this point.
> Also, DHO_PAD and DHO_END are special in that they don't have any length 
> attribute so you have to look for it after parsing those options.

Hm, I don't quite follow. Would it be possible for you to quickly
mockup what you mean? I would, naturally, be very happy to test.


> > -			if (!overl)
> > +			if (l == 1 && !overl)
[…]
> You will need that too.

ACK, and thanks once again. :)


Best wishes,

-- 
      ,''`.
     : :'  :     Chris Lamb
     `. `'`      lamby@xxxxxxxxxx 🍥 chris-lamb.co.uk
       `-
Follow-Ups:
Re: Backporting two dchpcd security patches to 6.0.5Roy Marples
References:
Backporting two dchpcd security patches to 6.0.5Chris Lamb
Re: Backporting two dchpcd security patches to 6.0.5Roy Marples
Re: Backporting two dchpcd security patches to 6.0.5Chris Lamb
Re: Backporting two dchpcd security patches to 6.0.5Roy Marples
Archive administrator: postmaster@marples.name