Security fix, CVE-2017-14494, Infoleak handling DHCPv6 forwarded requests.

Fix information leak in DHCPv6. A crafted DHCPv6 packet can cause dnsmasq to forward memory from outside the packet buffer to a DHCPv6 server when acting as a relay.

Security fix, CVE-2017-14494, Infoleak handling DHCPv6 forwarded requests.
Fix information leak in DHCPv6. A crafted DHCPv6 packet can cause dnsmasq to forward memory from outside the packet buffer to a DHCPv6 server when acting as a relay.
33e3f102 · Simon Kelley · 3d4ff1ba · 33e3f102 · 33e3f102
Commit 33e3f102 authored Sep 25, 2017 by Simon Kelley
Hide whitespace changes
Inline Side-by-side

Showing with 11 additions and 0 deletions

CHANGELOG CHANGELOG +8 -0

src/rfc3315.c src/rfc3315.c +3 -0

No files found.
--- a/CHANGELOG
+++ b/CHANGELOG
@@ -51,6 +51,14 @@ version 2.78
 	Credit to Felix Wilhelm, Fermin J. Serna, Gabriel Campana
 	and Kevin Hamacher of the Google Security Team for
 	finding this.
+
+	Fix information leak in DHCPv6. A crafted DHCPv6 packet can
+	cause dnsmasq to forward memory from outside the packet
+	buffer to a DHCPv6 server when acting as a relay.
+	CVE-2017-14494 applies.
+	Credit to Felix Wilhelm, Fermin J. Serna, Gabriel Campana
+	and Kevin Hamacher of the Google Security Team for
+	finding this.
 	
 	
 version 2.77

--- a/src/rfc3315.c
+++ b/src/rfc3315.c
@@ -216,6 +216,9 @@ static int dhcp6_maybe_relay(struct state *state, void *inbuff, size_t sz,
  
  for (opt = opts; opt; opt = opt6_next(opt, end))
    {
+      if (opt6_ptr(opt, 0) + opt6_len(opt) >= end) {
+        return 0;
+      }
      int o = new_opt6(opt6_type(opt));
      if (opt6_type(opt) == OPTION6_RELAY_MSG)
 	{