summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorRoy Marples <roy@marples.name>2019-04-19 09:45:02 +0100
committerRoy Marples <roy@marples.name>2019-04-19 09:45:02 +0100
commit8d11b33f6c60e2db257130fa383ba76b6018bcf6 (patch)
tree2e9e683a05ff512275750a1091caaf9a73e668f2
parentfbba0089e260630e9de36f367e0d3f128c00ae1f (diff)
DHCPv6: Fix a potential buffer overflow reading NA/TA addresses
Only copy upto the size of the address option rather than the option length. Found by Maxime Villard <max@m00nbsd.net>
-rw-r--r--src/dhcp6.c4
1 files changed, 2 insertions, 2 deletions
diff --git a/src/dhcp6.c b/src/dhcp6.c
index 99a452bb..8fc4f000 100644
--- a/src/dhcp6.c
+++ b/src/dhcp6.c
@@ -2029,12 +2029,12 @@ dhcp6_findna(struct interface *ifp, uint16_t ot, const uint8_t *iaid,
nd = o + ol;
l -= (size_t)(nd - d);
d = nd;
- if (ol < 24) {
+ if (ol < sizeof(ia)) {
errno = EINVAL;
logerrx("%s: IA Address option truncated", ifp->name);
continue;
}
- memcpy(&ia, o, ol);
+ memcpy(&ia, o, sizeof(ia));
ia.pltime = ntohl(ia.pltime);
ia.vltime = ntohl(ia.vltime);
/* RFC 3315 22.6 */