RIOT-OS/RIOT
RIOT-OS/RIOT
1
0
Fork 0
mirror of https://github.com/RIOT-OS/RIOT.git synced 2024-12-29 04:50:03 +01:00
Code Releases Activity

gnrc_dhcpv6_client: Fix out-of-bounds access during option parsing

Browse Source 
The _parse_reply function iterates over the DHCPv6 message options
twice but only performs sanity checks on the option length in the
first iteration. As such, both loop iterations need to be identical.
Unfortunately, there aren't without this commit as (1) they use
different maximum length values and (2) the first iteration stops
parsing as soon as it encounters a zero option while the second
doesn't. As such, it is possible for out-of-bounds read to be
performed by the second loop iteration. This commit fixes this.
This commit is contained in:
Sören Tempel 2022-07-11 22:55:33 +02:00
parent 1ba2ef8977
commit f073dcdb3d
1 changed files with 5 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
sys/net/application_layer/dhcpv6/client.c
View File

@ -988,6 +988,7 @@ static bool _parse_reply(uint8_t *rep, size_t len, uint8_t request_type)
DEBUG("DHCPv6 client: packet too small or transaction ID wrong\n");
return false;
}
len = orig_len - sizeof(dhcpv6_msg_t);
for (dhcpv6_opt_t *opt = (dhcpv6_opt_t *)(&rep[sizeof(dhcpv6_msg_t)]);
len > 0; len -= _opt_len(opt), opt = _opt_next(opt)) {
if (len > orig_len) {
@ -1079,6 +1080,10 @@ static bool _parse_reply(uint8_t *rep, size_t len, uint8_t request_type)
default:
break;
}
/* 0 option is used as an end marker, len can include bogus bytes */
if (!byteorder_ntohs(opt->type)) {
break;
}
}
return true;
}