From 796da66abd074037f3b48475772d65874cc6de54 Mon Sep 17 00:00:00 2001 From: Kevin Darbyshire-Bryant Date: Mon, 13 Apr 2020 09:14:43 +0100 Subject: [PATCH] dhcp.c: improve input validation & length checks Improve data & structure length validation. Addresses CVE-2020-11752 Thanks to Guido Vranken for the report who requested credit be given to 'ForAllSecure Mayhem'. Signed-off-by: Kevin Darbyshire-Bryant --- dhcp.c | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/dhcp.c b/dhcp.c index aefe34f..4dbdece 100644 --- a/dhcp.c +++ b/dhcp.c @@ -88,8 +88,9 @@ parse_dhcp_options(struct relayd_host *host, struct dhcp_header *dhcp, int len) struct dhcp_option *opt = (void *)dhcp->option_data; static const uint8_t dest[4] = { 0, 0, 0, 0 }; - while((uint8_t *) opt < end) { - if ((uint8_t *) opt + opt->len > end) + while((uint8_t *) opt + sizeof(*opt) < end) { + if ((uint8_t *) opt + opt->len > end || + (uint8_t *) opt + sizeof(*opt) > end ) break; opt = (void *) &opt->data[opt->len]; @@ -136,6 +137,9 @@ bool relayd_handle_dhcp_packet(struct relayd_interface *rif, void *data, int len udp = (void *) ((char *) &pkt->iph + (pkt->iph.ihl << 2)); dhcp = (void *) (udp + 1); + if ((uint8_t *)udp + sizeof(*udp) > (uint8_t *)data + len ) + return false; + udplen = ntohs(udp->len); if (udplen > len - ((char *) udp - (char *) data)) return false; -- 2.25.1