From 361d374a0fe724b09d300c1f0d1819f8be34b836 Mon Sep 17 00:00:00 2001 From: Lennart Poettering Date: Fri, 19 Oct 2018 12:12:33 +0200 Subject: dhcp6: make sure we have enough space for the DHCP6 option header Fixes a vulnerability originally discovered by Felix Wilhelm from Google. CVE-2018-15688 LP: #1795921 https://bugzilla.redhat.com/show_bug.cgi?id=1639067 (cherry picked from commit 4dac5eaba4e419b29c97da38a8b1f82336c2c892) (cherry picked from commit 01ca2053bbea09f35b958c8cc7631e15469acb79) (cherry picked from commit fc230dca139142f409d7bac99dbfabe9b004e2fb) (cherry picked from commit cc1e5a7f5731f223d1eb8473fa0eecbedfc0ae5f) (cherry picked from commit c3221cb0c5b4a2936c198e33b6f7853141991277) (cherry picked from commit f4f765534191ed3c5d8e78b97333f3fd978a2b63) (cherry picked from commit 2a25872910606d83f0532d668e73ab4809ee7f90) (cherry picked from commit ec471872e47f389d88a0dc6a12164feed378de39) (cherry picked from commit 6e56de0d87aa7891290ce907ecd7b725e73e3bc3) --- src/dhcp-manager/systemd-dhcp/src/libsystemd-network/dhcp6-option.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/dhcp-manager/systemd-dhcp/src/libsystemd-network/dhcp6-option.c b/src/dhcp-manager/systemd-dhcp/src/libsystemd-network/dhcp6-option.c index 3d6e24623a..40f77888a2 100644 --- a/src/dhcp-manager/systemd-dhcp/src/libsystemd-network/dhcp6-option.c +++ b/src/dhcp-manager/systemd-dhcp/src/libsystemd-network/dhcp6-option.c @@ -104,7 +104,7 @@ int dhcp6_option_append_ia(uint8_t **buf, size_t *buflen, DHCP6IA *ia) { return -EINVAL; } - if (*buflen < len) + if (*buflen < offsetof(DHCP6Option, data) + len) return -ENOBUFS; ia_hdr = *buf; -- cgit v1.2.1