[#254] Fixed memory leak in FQDN unpacking

RELNOTES Added a release note common/options.c fqdn_universe_decode() - replace returns with gotos to ensure memory is freed on label length errors
2025-08-22 18:07:25 +00:00 · 2022-08-04 16:22:35 -04:00 · 2022-08-04 16:22:35 -04:00 · 9e138021c8
commit 9e138021c8
parent 6e491dab44
2 changed files with 9 additions and 4 deletions
--- a/5
+++ b/5
@ -36,6 +36,11 @@ by Eric Young (eay@cryptsoft.com).
  [Gitblab #253]
  CVE: CVS-2022-2928

+! Corrected a memory leak that occurs when unpacking a packet that has an
+  FQDN option (81) that contains a label whose lenght is greater than 63.
+  [Gitblab #254]
+  CVE: CVS-2022-2929
+
 		Changes since 4.4.2-P1 (New Features)

 - Two new OMAPI function calls were added, `dhcpctl_timed_connect()`
--- a/common/options.c
+++ b/common/options.c
@ -454,16 +454,16 @@ int fqdn_universe_decode (struct option_state *options,
 		while (s < &bp -> data[0] + length + 2) {
 			len = *s;
 			if (len > 63) {
-				log_info ("fancy bits in fqdn option");
-				return 0;
+				log_info ("label length exceeds 63 in fqdn option");
+				goto bad;
 			}
 			if (len == 0) {
 				terminated = 1;
 				break;
 			}
 			if (s + len > &bp -> data [0] + length + 3) {
-				log_info ("fqdn tag longer than buffer");
-				return 0;
+				log_info ("fqdn label longer than buffer");
+				goto bad;
 			}

 			if (first_len == 0) {