matthew/sonic-buildimage
1
0
Fork 0
Code Issues Pull Requests Actions 1 Packages Projects Releases Wiki Activity

[dhcp_relay] Check payload size to prevent buffer overflow in dhcpv6 option (#9740)

Browse Source
This commit is contained in:
kellyyeh 2022-01-27 23:19:15 -08:00 committed by Judy Joseph
parent 53a8d99baa
commit a0bb7a0485
1 changed files with 5 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
src/dhcp6relay/src/relay.cpp
View File

@ -533,14 +533,17 @@ void relay_relay_forw(int sock, const uint8_t *msg, int32_t len, const ip6_hdr *
auto position = current_position + sizeof(struct dhcpv6_option);
auto dhcpv6msg = parse_dhcpv6_hdr(position);
while ((current_position - msg) != len) {
while ((current_position - msg) < len) {
auto option = parse_dhcpv6_opt(current_position, &tmp);
current_position = tmp;
if (current_position - msg > len || ntohs(option->option_length) > sizeof(buffer) - (current_buffer_position - buffer)) {
break;
}
switch (ntohs(option->option_code)) {
case OPTION_RELAY_MSG:
memcpy(current_buffer_position, ((uint8_t *)option) + sizeof(struct dhcpv6_option), ntohs(option->option_length));
current_buffer_position += ntohs(option->option_length);
type = dhcpv6msg->msg_type;;
type = dhcpv6msg->msg_type;
break;
default:
break;