diff options
author | David Hankins <dhankins@isc.org> | 2009-06-19 23:24:19 +0000 |
---|---|---|
committer | David Hankins <dhankins@isc.org> | 2009-06-19 23:24:19 +0000 |
commit | 8a4e543b51677c3033cb6a9fc0b77e772063dd6a (patch) | |
tree | 6f3c62bdfeb78ca3fc132ffd19ddbb5fc7c16566 /client | |
parent | 9e3eb22ab78a2645f9d4107447b91549f0cac1ea (diff) | |
download | isc-dhcp-8a4e543b51677c3033cb6a9fc0b77e772063dd6a.tar.gz |
! A stack overflow vulnerability was fixed in dhclient that could allow
remote attackers to execute arbitrary commands as root on the system,
or simply terminate the client, by providing an over-long subnet-mask
option. [ISC-Bugs #19839]
Diffstat (limited to 'client')
-rw-r--r-- | client/dhclient.c | 11 |
1 files changed, 9 insertions, 2 deletions
diff --git a/client/dhclient.c b/client/dhclient.c index 580c7126..99f0ec1a 100644 --- a/client/dhclient.c +++ b/client/dhclient.c @@ -3070,8 +3070,15 @@ void script_write_params (client, prefix, lease) if (data.len > 3) { struct iaddr netmask, subnet, broadcast; - memcpy (netmask.iabuf, data.data, data.len); - netmask.len = data.len; + /* + * No matter the length of the subnet-mask option, + * use only the first four octets. Note that + * subnet-mask options longer than 4 octets are not + * in conformance with RFC 2132, but servers with this + * flaw do exist. + */ + memcpy(netmask.iabuf, data.data, 4); + netmask.len = 4; data_string_forget (&data, MDL); subnet = subnet_number (lease -> address, netmask); |