RIOT-OS/RIOT
RIOT-OS/RIOT
1
0
Fork 0
mirror of https://github.com/RIOT-OS/RIOT.git synced 2025-01-18 12:52:44 +01:00
Code Releases Activity

Merge pull request #18307 from nmeum/pr/gnrc_dhcpv6_client_parse_reply

Browse Source 
gnrc_dhcpv6_client: Fix out-of-bounds access during option parsing
This commit is contained in:
Martine Lenders 2022-07-12 19:30:50 +02:00 committed by GitHub
commit 11dc836d61
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 5 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
sys/net/application_layer/dhcpv6/client.c
View File

@ -988,6 +988,7 @@ static bool _parse_reply(uint8_t *rep, size_t len, uint8_t request_type)
DEBUG("DHCPv6 client: packet too small or transaction ID wrong\n");
return false;
}
len = orig_len - sizeof(dhcpv6_msg_t);
for (dhcpv6_opt_t *opt = (dhcpv6_opt_t *)(&rep[sizeof(dhcpv6_msg_t)]);
len > 0; len -= _opt_len(opt), opt = _opt_next(opt)) {
if (len > orig_len) {
@ -1079,6 +1080,10 @@ static bool _parse_reply(uint8_t *rep, size_t len, uint8_t request_type)
default:
break;
}
/* 0 option is used as an end marker, len can include bogus bytes */
if (!byteorder_ntohs(opt->type)) {
break;
}
}
return true;
}