mirror of
https://github.com/RIOT-OS/RIOT.git
synced 2024-12-29 04:50:03 +01:00
f073dcdb3d
The _parse_reply function iterates over the DHCPv6 message options twice but only performs sanity checks on the option length in the first iteration. As such, both loop iterations need to be identical. Unfortunately, there aren't without this commit as (1) they use different maximum length values and (2) the first iteration stops parsing as soon as it encounters a zero option while the second doesn't. As such, it is possible for out-of-bounds read to be performed by the second loop iteration. This commit fixes this. |
||
|---|---|---|
| .. | ||
| application_layer | ||
| ble | ||
| credman | ||
| crosslayer | ||
| dsm | ||
| gnrc | ||
| link_layer | ||
| lora | ||
| netdev_test | ||
| netif | ||
| netstats | ||
| netutils | ||
| network_layer | ||
| sock | ||
| transport_layer | ||
| doc.txt | ||
| ieee802154.txt | ||
| Kconfig | ||