debian/patches/extra/0004-slirp-check-len-against-dhcp-options-array-end.patch

   1 From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
   2 From: Prasad J Pandit <pjp@fedoraproject.org>
   3 Date: Mon, 17 Jul 2017 17:33:26 +0530
   4 Subject: [PATCH] slirp: check len against dhcp options array end
   5
   6 While parsing dhcp options string in 'dhcp_decode', if an options'
   7 length 'len' appeared towards the end of 'bp_vend' array, ensuing
   8 read could lead to an OOB memory access issue. Add check to avoid it.
   9
  10 This is CVE-2017-11434.
  11
  12 Reported-by: Reno Robert <renorobert@gmail.com>
  13 Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
  14 Signed-off-by: Samuel Thibault <samuel.thibault@ens-lyon.org>
  15 ---
  16  slirp/bootp.c | 3 +++
  17  1 file changed, 3 insertions(+)
  18
  19 diff --git a/slirp/bootp.c b/slirp/bootp.c
  20 index 5a4646c182..5dd1a415b5 100644
  21 --- a/slirp/bootp.c
  22 +++ b/slirp/bootp.c
  23 @@ -123,6 +123,9 @@ static void dhcp_decode(const struct bootp_t *bp, int *pmsg_type,
  24              if (p >= p_end)
  25                  break;
  26              len = *p++;
  27 +            if (p + len > p_end) {
  28 +                break;
  29 +            }
  30              DPRINTF("dhcp: tag=%d len=%d\n", tag, len);
  31
  32              switch(tag) {
  33 --
  34 2.11.0
  35