diff options
| author | Yu Watanabe <watanabe.yu+github@gmail.com> | 2018-09-30 20:23:58 +0900 |
|---|---|---|
| committer | Thomas Haller <thaller@redhat.com> | 2018-10-05 00:38:09 +0200 |
| commit | 425bb3f8799f8c94bc67e417ad8ae0101d0ab9b3 (patch) | |
| tree | 41398038b460d2158812079a5e37f1f293d13e85 | |
| parent | 6d3bfd139c01038b03be3ce0f46ce520ff97cee2 (diff) | |
dhcp6: check option length before reading values
Fixes oss-fuzz#10746
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=10746.
https://github.com/systemd/systemd/pull/10213
https://github.com/systemd/systemd/commit/84452783b8bcc44e0dbb7fa6ddc6dad8c064bdfe
| -rw-r--r-- | src/systemd/src/libsystemd-network/dhcp6-internal.h | 2 | ||||
| -rw-r--r-- | src/systemd/src/libsystemd-network/dhcp6-option.c | 11 | ||||
| -rw-r--r-- | src/systemd/src/libsystemd-network/sd-dhcp6-client.c | 2 |
3 files changed, 8 insertions, 7 deletions
diff --git a/src/systemd/src/libsystemd-network/dhcp6-internal.h b/src/systemd/src/libsystemd-network/dhcp6-internal.h index f1cbd6a4f..06e2e5324 100644 --- a/src/systemd/src/libsystemd-network/dhcp6-internal.h +++ b/src/systemd/src/libsystemd-network/dhcp6-internal.h @@ -91,7 +91,7 @@ int dhcp6_option_append_pd(uint8_t *buf, size_t len, DHCP6IA *pd); int dhcp6_option_append_fqdn(uint8_t **buf, size_t *buflen, const char *fqdn); int dhcp6_option_parse(uint8_t **buf, size_t *buflen, uint16_t *optcode, size_t *optlen, uint8_t **optvalue); -int dhcp6_option_parse_status(DHCP6Option *option); +int dhcp6_option_parse_status(DHCP6Option *option, size_t len); int dhcp6_option_parse_ia(DHCP6Option *iaoption, DHCP6IA *ia); int dhcp6_option_parse_ip6addrs(uint8_t *optval, uint16_t optlen, struct in6_addr **addrs, size_t count, diff --git a/src/systemd/src/libsystemd-network/dhcp6-option.c b/src/systemd/src/libsystemd-network/dhcp6-option.c index a8a56463a..e462b7083 100644 --- a/src/systemd/src/libsystemd-network/dhcp6-option.c +++ b/src/systemd/src/libsystemd-network/dhcp6-option.c @@ -249,10 +249,11 @@ int dhcp6_option_parse(uint8_t **buf, size_t *buflen, uint16_t *optcode, return 0; } -int dhcp6_option_parse_status(DHCP6Option *option) { +int dhcp6_option_parse_status(DHCP6Option *option, size_t len) { DHCP6StatusOption *statusopt = (DHCP6StatusOption *)option; - if (be16toh(option->len) + sizeof(DHCP6Option) < sizeof(*statusopt)) + if (len < sizeof(DHCP6StatusOption) || + be16toh(option->len) + sizeof(DHCP6Option) < sizeof(DHCP6StatusOption)) return -ENOBUFS; return be16toh(statusopt->status); @@ -279,7 +280,7 @@ static int dhcp6_option_parse_address(DHCP6Option *option, DHCP6IA *ia, } if (be16toh(option->len) + sizeof(DHCP6Option) > sizeof(*addr_option)) { - r = dhcp6_option_parse_status((DHCP6Option *)addr_option->options); + r = dhcp6_option_parse_status((DHCP6Option *)addr_option->options, be16toh(option->len) + sizeof(DHCP6Option) - sizeof(*addr_option)); if (r != 0) return r < 0 ? r: 0; } @@ -319,7 +320,7 @@ static int dhcp6_option_parse_pdprefix(DHCP6Option *option, DHCP6IA *ia, } if (be16toh(option->len) + sizeof(DHCP6Option) > sizeof(*pdprefix_option)) { - r = dhcp6_option_parse_status((DHCP6Option *)pdprefix_option->options); + r = dhcp6_option_parse_status((DHCP6Option *)pdprefix_option->options, be16toh(option->len) + sizeof(DHCP6Option) - sizeof(*pdprefix_option)); if (r != 0) return r < 0 ? r: 0; } @@ -464,7 +465,7 @@ int dhcp6_option_parse_ia(DHCP6Option *iaoption, DHCP6IA *ia) { case SD_DHCP6_OPTION_STATUS_CODE: - status = dhcp6_option_parse_status(option); + status = dhcp6_option_parse_status(option, optlen); if (status) { log_dhcp6_client(client, "IA status %d", status); diff --git a/src/systemd/src/libsystemd-network/sd-dhcp6-client.c b/src/systemd/src/libsystemd-network/sd-dhcp6-client.c index 882a7eb8b..8444a750a 100644 --- a/src/systemd/src/libsystemd-network/sd-dhcp6-client.c +++ b/src/systemd/src/libsystemd-network/sd-dhcp6-client.c @@ -870,7 +870,7 @@ static int client_parse_message( break; case SD_DHCP6_OPTION_STATUS_CODE: - status = dhcp6_option_parse_status(option); + status = dhcp6_option_parse_status(option, optlen); if (status) { log_dhcp6_client(client, "%s Status %s", dhcp6_message_type_to_string(message->type), |