diff options
author | Ben Hutchings <ben@decadent.org.uk> | 2016-01-28 00:49:22 +0000 |
---|---|---|
committer | Ben Hutchings <ben@decadent.org.uk> | 2016-01-28 13:30:29 +0000 |
commit | fe22a82fa0bd187a39d130d593c4d56d4749a174 (patch) | |
tree | 7a56853ec98d87b1335d2b4ca7a09bab66e5baec /src | |
parent | 62968599557ac81b0f811481f6b06886ddcf0cdb (diff) | |
download | odhcp6c-fe22a82fa0bd187a39d130d593c4d56d4749a174.tar.gz |
Fix possible stack buffer overflow in s46_to_env when copying IPv6 prefixes
An 8-bit prefix-length field can be as large as 255, but values larger
than 128 will result in a buffer overflow when copying to in6.
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
Diffstat (limited to 'src')
-rw-r--r-- | src/script.c | 9 |
1 files changed, 6 insertions, 3 deletions
diff --git a/src/script.c b/src/script.c index 89cb0d6..3579331 100644 --- a/src/script.c +++ b/src/script.c @@ -282,7 +282,8 @@ static void s46_to_env(enum odhcp6c_state state, const uint8_t *data, size_t len size_t prefix6len = rule->prefix6_len; prefix6len = (prefix6len % 8 == 0) ? prefix6len / 8 : prefix6len / 8 + 1; - if (olen < sizeof(struct dhcpv6_s46_rule) + prefix6len) + if (prefix6len > sizeof(in6) || + olen < sizeof(struct dhcpv6_s46_rule) + prefix6len) continue; memcpy(&in6, rule->ipv6_prefix, prefix6len); @@ -311,7 +312,8 @@ static void s46_to_env(enum odhcp6c_state state, const uint8_t *data, size_t len size_t prefix6len = dmr->dmr_prefix6_len; prefix6len = (prefix6len % 8 == 0) ? prefix6len / 8 : prefix6len / 8 + 1; - if (olen < sizeof(struct dhcpv6_s46_dmr) + prefix6len) + if (prefix6len > sizeof(in6) || + olen < sizeof(struct dhcpv6_s46_dmr) + prefix6len) continue; memcpy(&in6, dmr->dmr_ipv6_prefix, prefix6len); @@ -330,7 +332,8 @@ static void s46_to_env(enum odhcp6c_state state, const uint8_t *data, size_t len size_t prefix6len = bind->bindprefix6_len; prefix6len = (prefix6len % 8 == 0) ? prefix6len / 8 : prefix6len / 8 + 1; - if (olen < sizeof(struct dhcpv6_s46_v4v6bind) + prefix6len) + if (prefix6len > sizeof(in6) || + olen < sizeof(struct dhcpv6_s46_v4v6bind) + prefix6len) continue; memcpy(&in6, bind->bind_ipv6_prefix, prefix6len); |