Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
openSUSE:Maintenance:9577
qemu.openSUSE_Leap_42.3_Update
0054-slirp-check-len-against-dhcp-option.patch
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File 0054-slirp-check-len-against-dhcp-option.patch of Package qemu.openSUSE_Leap_42.3_Update
From a36a6f44fe666dc891862763e952acc95c026e77 Mon Sep 17 00:00:00 2001 From: Prasad J Pandit <pjp@fedoraproject.org> Date: Mon, 17 Jul 2017 17:33:26 +0530 Subject: [PATCH] slirp: check len against dhcp options array end While parsing dhcp options string in 'dhcp_decode', if an options' length 'len' appeared towards the end of 'bp_vend' array, ensuing read could lead to an OOB memory access issue. Add check to avoid it. This is CVE-2017-11434. Reported-by: Reno Robert <renorobert@gmail.com> Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org> Signed-off-by: Samuel Thibault <samuel.thibault@ens-lyon.org> (cherry picked from commit 413d463f43fbc4dd3a601e80a5724aa384a265a0) [BR: BSC#1049381 CVE-2017-11434] Signed-off-by: Bruce Rogers <brogers@suse.com> --- slirp/bootp.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/slirp/bootp.c b/slirp/bootp.c index 5a4646c182..5dd1a415b5 100644 --- a/slirp/bootp.c +++ b/slirp/bootp.c @@ -123,6 +123,9 @@ static void dhcp_decode(const struct bootp_t *bp, int *pmsg_type, if (p >= p_end) break; len = *p++; + if (p + len > p_end) { + break; + } DPRINTF("dhcp: tag=%d len=%d\n", tag, len); switch(tag) {
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor