Mercurial > hg > dhcpcd

changeset 4458:0e6212a4aa03 draft

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
DHCPv6: Fix a potential buffer overflow reading NA/TA addresses Only copy upto the size of the address option rather than the option length. Found by Maxime Villard <max@m00nbsd.net>
author Roy Marples <roy@marples.name>
date Fri, 19 Apr 2019 09:45:02 +0100
parents e89d0b4f0bc7
children 293fe50331c8
files src/dhcp6.c
diffstat 1 files changed, 2 insertions(+), 2 deletions(-) [+]
line wrap: on
line diff
--- a/src/dhcp6.c	Wed Apr 17 23:42:45 2019 +0100
+++ b/src/dhcp6.c	Fri Apr 19 09:45:02 2019 +0100
@@ -2029,12 +2029,12 @@
 		nd = o + ol;
 		l -= (size_t)(nd - d);
 		d = nd;
-		if (ol < 24) {
+		if (ol < sizeof(ia)) {
 			errno = EINVAL;
 			logerrx("%s: IA Address option truncated", ifp->name);
 			continue;
 		}
-		memcpy(&ia, o, ol);
+		memcpy(&ia, o, sizeof(ia));
 		ia.pltime = ntohl(ia.pltime);
 		ia.vltime = ntohl(ia.vltime);
 		/* RFC 3315 22.6 */