Commit 413d463f authored Jul 17, 2017 by Prasad J Pandit Committed by Samuel Thibault Aug 03, 2017

slirp: check len against dhcp options array end



While parsing dhcp options string in 'dhcp_decode', if an options'
length 'len' appeared towards the end of 'bp_vend' array, ensuing
read could lead to an OOB memory access issue. Add check to avoid it.

This is CVE-2017-11434.

Reported-by: Reno Robert <renorobert@gmail.com>
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
Signed-off-by: Samuel Thibault <samuel.thibault@ens-lyon.org>

parent 5c843af2

slirp/bootp.c

+3 −0

Original line number	Diff line number	Diff line
		@@ -123,6 +123,9 @@ static void dhcp_decode(const struct bootp_t bp, int pmsg_type,
		if (p >= p_end)
		break;
		len = *p++;
		if (p + len > p_end) {
		break;
		}
		DPRINTF("dhcp: tag=%d len=%d\n", tag, len);

		switch(tag) {