diff mbox

slirp: check len against dhcp options array end

Message ID 20170717120326.27967-1-ppandit@redhat.com (mailing list archive)
State New, archived
Headers show

Commit Message

Prasad Pandit July 17, 2017, 12:03 p.m. UTC 
From: Prasad J Pandit <pjp@fedoraproject.org>

While parsing dhcp options string in 'dhcp_decode', if an options'
length 'len' appeared towards the end of 'bp_vend' array, ensuing
read could lead to an OOB memory access issue. Add check to avoid it.

Reported-by: Reno Robert <renorobert@gmail.com>
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
---
 slirp/bootp.c | 3 +++
 1 file changed, 3 insertions(+)

Comments

Samuel Thibault July 17, 2017, 2:48 p.m. UTC | #1 
P J P, on lun. 17 juil. 2017 17:33:26 +0530, wrote:
> From: Prasad J Pandit <pjp@fedoraproject.org>
> 
> While parsing dhcp options string in 'dhcp_decode', if an options'
> length 'len' appeared towards the end of 'bp_vend' array, ensuing
> read could lead to an OOB memory access issue. Add check to avoid it.
> 
> Reported-by: Reno Robert <renorobert@gmail.com>
> Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>

Oops, sure, applied to my tree, thanks!

Samuel
Reno Robert July 17, 2017, 5:40 p.m. UTC | #2 
+            if (p + len > p_end) {

Shouldn't this be (p + len >= p_end) ?

On Mon, Jul 17, 2017 at 8:18 PM, Samuel Thibault
<samuel.thibault@gnu.org> wrote:
> P J P, on lun. 17 juil. 2017 17:33:26 +0530, wrote:
>> From: Prasad J Pandit <pjp@fedoraproject.org>
>>
>> While parsing dhcp options string in 'dhcp_decode', if an options'
>> length 'len' appeared towards the end of 'bp_vend' array, ensuing
>> read could lead to an OOB memory access issue. Add check to avoid it.
>>
>> Reported-by: Reno Robert <renorobert@gmail.com>
>> Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
>
> Oops, sure, applied to my tree, thanks!
>
> Samuel
Samuel Thibault July 17, 2017, 6:33 p.m. UTC | #3 
Reno Robert, on lun. 17 juil. 2017 23:10:02 +0530, wrote:
> +            if (p + len > p_end) {
> 
> Shouldn't this be (p + len >= p_end) ?

No: if p_end-p is 1, len being 1 is fine.
 
Samuel
Michael Tokarev Aug. 2, 2017, 2:10 p.m. UTC | #4 
17.07.2017 17:48, Samuel Thibault wrote:
> P J P, on lun. 17 juil. 2017 17:33:26 +0530, wrote:
>> From: Prasad J Pandit <pjp@fedoraproject.org>
>>
>> While parsing dhcp options string in 'dhcp_decode', if an options'
>> length 'len' appeared towards the end of 'bp_vend' array, ensuing
>> read could lead to an OOB memory access issue. Add check to avoid it.
>>
>> Reported-by: Reno Robert <renorobert@gmail.com>
>> Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
> 
> Oops, sure, applied to my tree, thanks!

Can we have it in 2.10 please?

This is CVE-2017-11434, which can be mentioned in the commit message.

Thanks,

/mjt
diff mbox

Patch

diff --git a/slirp/bootp.c b/slirp/bootp.c
index 5a4646c..5dd1a41 100644
--- a/slirp/bootp.c
+++ b/slirp/bootp.c
@@ -123,6 +123,9 @@  static void dhcp_decode(const struct bootp_t *bp, int *pmsg_type,
             if (p >= p_end)
                 break;
             len = *p++;
+            if (p + len > p_end) {
+                break;
+            }
             DPRINTF("dhcp: tag=%d len=%d\n", tag, len);
 
             switch(tag) {