ryantimwilson / rpms / systemd

Forked from rpms/systemd a month ago
Clone
36e8a3
From c232bc1f346a6af9777c216d01f7940898ae1650 Mon Sep 17 00:00:00 2001
36e8a3
From: Lennart Poettering <lennart@poettering.net>
36e8a3
Date: Fri, 19 Oct 2018 12:12:33 +0200
36e8a3
Subject: [PATCH] dhcp6: make sure we have enough space for the DHCP6 option
36e8a3
 header
36e8a3
36e8a3
Fixes a vulnerability originally discovered by Felix Wilhelm from
36e8a3
Google.
36e8a3
36e8a3
CVE-2018-15688
36e8a3
LP: #1795921
36e8a3
https://bugzilla.redhat.com/show_bug.cgi?id=1639067
36e8a3
36e8a3
(cherry-picked from commit 4dac5eaba4e419b29c97da38a8b1f82336c2c892)
36e8a3
36e8a3
Resolves: #1643363
36e8a3
---
36e8a3
 src/libsystemd-network/dhcp6-option.c | 2 +-
36e8a3
 1 file changed, 1 insertion(+), 1 deletion(-)
36e8a3
36e8a3
diff --git a/src/libsystemd-network/dhcp6-option.c b/src/libsystemd-network/dhcp6-option.c
36e8a3
index 18196b125..097949729 100644
36e8a3
--- a/src/libsystemd-network/dhcp6-option.c
36e8a3
+++ b/src/libsystemd-network/dhcp6-option.c
36e8a3
@@ -103,7 +103,7 @@ int dhcp6_option_append_ia(uint8_t **buf, size_t *buflen, DHCP6IA *ia) {
36e8a3
                 return -EINVAL;
36e8a3
         }
36e8a3
 
36e8a3
-        if (*buflen < len)
36e8a3
+        if (*buflen < offsetof(DHCP6Option, data) + len)
36e8a3
                 return -ENOBUFS;
36e8a3
 
36e8a3
         ia_hdr = *buf;