Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

dhcp6 packet size calculation fixes #10518

Merged
merged 5 commits into from Oct 25, 2018

Conversation

poettering
Copy link
Member

No description provided.

Fixes a vulnerability originally discovered by Felix Wilhelm from
Google.

CVE-2018-15688
LP: #1795921
https://bugzilla.redhat.com/show_bug.cgi?id=1639067
This doesn't change anything in the generated source, but I think makes
semantically more sense, as these structures have undefined size, and we
only want to know the size up to the data field in these cases.
@keszybz keszybz added the good-to-merge/waiting-for-ci 👍 PR is good to merge, but CI hasn't passed at time of review. Please merge if you see CI has passed label Oct 25, 2018
@poettering poettering merged commit 5ec1fca into systemd:master Oct 25, 2018
@@ -106,7 +106,7 @@ int dhcp6_option_append_ia(uint8_t **buf, size_t *buflen, const DHCP6IA *ia) {
return -EINVAL;
}

if (*buflen < len)
if (*buflen < offsetof(DHCP6Option, data) + len)
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

So it seems that it's not uncommon for dhcp6-client to get the length wrong. The receiving side is more or less covered by the dhcp6-client fuzzer (which has helped to find three similar issues this month). Maybe it would make sense to somehow cover the sending side too.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
dhcp good-to-merge/waiting-for-ci 👍 PR is good to merge, but CI hasn't passed at time of review. Please merge if you see CI has passed network
Development

Successfully merging this pull request may close these issues.

None yet

3 participants