dhcp6: make sure we have enough space for the DHCP6 option header

Fixes a vulnerability originally discovered by Felix Wilhelm from Google. CVE-2018-15688 LP: #1795921 https://bugzilla.redhat.com/show_bug.cgi?id=1639067 (cherry-picked from commit 4dac5eaba4e419b29c97da38a8b1f82336c2c892) Resolves: #1643363
author: Lennart Poettering <lennart@poettering.net> 2018-10-19 12:12:33 +0200
committer: Lukáš Nykrýn <lnykryn@redhat.com> 2018-12-04 13:16:10 +0100
commit: c232bc1f346a6af9777c216d01f7940898ae1650 (patch)
tree: 170dea5aad7dbb6abe16892b2a1b1d1d1dc58710
parent: ebdb96247433d920b391672e019da9402aabd351 (diff)
download: systemd-c232bc1f346a6af9777c216d01f7940898ae1650.tar.gz
1 files changed, 1 insertions, 1 deletions
diff --git a/src/libsystemd-network/dhcp6-option.c b/src/libsystemd-network/dhcp6-option.c
index 18196b1257..0979497299 100644
--- a/src/libsystemd-network/dhcp6-option.c
+++ b/src/libsystemd-network/dhcp6-option.c
@@ -103,7 +103,7 @@ int dhcp6_option_append_ia(uint8_t **buf, size_t *buflen, DHCP6IA *ia) {
                 return -EINVAL;
         }
 
-        if (*buflen < len)
+        if (*buflen < offsetof(DHCP6Option, data) + len)
                 return -ENOBUFS;
 
         ia_hdr = *buf;
author	Lennart Poettering <lennart@poettering.net>	2018-10-19 12:12:33 +0200
committer	Lukáš Nykrýn <lnykryn@redhat.com>	2018-12-04 13:16:10 +0100
commit	c232bc1f346a6af9777c216d01f7940898ae1650 (patch)
tree	170dea5aad7dbb6abe16892b2a1b1d1d1dc58710
parent	ebdb96247433d920b391672e019da9402aabd351 (diff)
download	systemd-c232bc1f346a6af9777c216d01f7940898ae1650.tar.gz