mir/isc-dhcp
2
0
Fork 0
mirror of https://gitlab.isc.org/isc-projects/dhcp synced 2025-08-23 10:28:08 +00:00
Code Issues Releases Wiki Activity

[#254] Fixed memory leak in FQDN unpacking

Browse Source 
RELNOTES
    Added a release note

common/options.c
    fqdn_universe_decode() - replace returns with
    gotos to ensure memory is freed on label length
    errors
This commit is contained in:
Thomas Markwalder 2022-08-04 16:22:35 -04:00 committed by Tomek Mrugalski
parent 6e491dab44
commit 9e138021c8
2 changed files with 9 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
RELNOTES
View File

@ -36,6 +36,11 @@ by Eric Young (eay@cryptsoft.com).
[Gitblab #253] [Gitblab #253]
CVE: CVS-2022-2928 CVE: CVS-2022-2928
! Corrected a memory leak that occurs when unpacking a packet that has an
FQDN option (81) that contains a label whose lenght is greater than 63.
[Gitblab #254]
CVE: CVS-2022-2929
Changes since 4.4.2-P1 (New Features) Changes since 4.4.2-P1 (New Features)
- Two new OMAPI function calls were added, `dhcpctl_timed_connect()` - Two new OMAPI function calls were added, `dhcpctl_timed_connect()`

8
common/options.c
View File

@ -454,16 +454,16 @@ int fqdn_universe_decode (struct option_state *options,
while (s < &bp -> data[0] + length + 2) { while (s < &bp -> data[0] + length + 2) {
len = *s; len = *s;
if (len > 63) { if (len > 63) {
log_info ("fancy bits in fqdn option"); log_info ("label length exceeds 63 in fqdn option");
return 0; goto bad;
} }
if (len == 0) { if (len == 0) {
terminated = 1; terminated = 1;
break; break;
} }
if (s + len > &bp -> data [0] + length + 3) { if (s + len > &bp -> data [0] + length + 3) {
log_info ("fqdn tag longer than buffer"); log_info ("fqdn label longer than buffer");
return 0; goto bad;
} }
if (first_len == 0) { if (first_len == 0) {