projects / pve-qemu.git / blame
| Commit | Line | Data |
|---|---|---|
| 3dcc8d3b | 1 | From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 |
| e74c0f31 WB |
2 | From: Prasad J Pandit <pjp@fedoraproject.org> |
| 3 | Date: Mon, 17 Jul 2017 17:33:26 +0530 | |
| 3dcc8d3b | 4 | Subject: [PATCH] slirp: check len against dhcp options array end |
| e74c0f31 WB |
5 | |
| 6 | While parsing dhcp options string in 'dhcp_decode', if an options' | |
| 7 | length 'len' appeared towards the end of 'bp_vend' array, ensuing | |
| 8 | read could lead to an OOB memory access issue. Add check to avoid it. | |
| 9 | ||
| 10 | This is CVE-2017-11434. | |
| 11 | ||
| 12 | Reported-by: Reno Robert <renorobert@gmail.com> | |
| 13 | Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org> | |
| 14 | Signed-off-by: Samuel Thibault <samuel.thibault@ens-lyon.org> | |
| 15 | --- | |
| 16 | slirp/bootp.c | 3 +++ | |
| 17 | 1 file changed, 3 insertions(+) | |
| 18 | ||
| 19 | diff --git a/slirp/bootp.c b/slirp/bootp.c | |
| 20 | index 5a4646c182..5dd1a415b5 100644 | |
| 21 | --- a/slirp/bootp.c | |
| 22 | +++ b/slirp/bootp.c | |
| 23 | @@ -123,6 +123,9 @@ static void dhcp_decode(const struct bootp_t *bp, int *pmsg_type, | |
| 24 | if (p >= p_end) | |
| 25 | break; | |
| 26 | len = *p++; | |
| 27 | + if (p + len > p_end) { | |
| 28 | + break; | |
| 29 | + } | |
| 30 | DPRINTF("dhcp: tag=%d len=%d\n", tag, len); | |
| 31 | ||
| 32 | switch(tag) { | |
| 33 | -- | |
| 34 | 2.11.0 | |
| 35 |