bc6ecbbeef
Systemd-networkd is vulnerable to an out out-of-bounds heap write in the DHCPv6 client when handling options sent by network adjacent DHCP servers. A attacker could exploit this via malicious DHCP server to corrupt heap memory on client machines, resulting in a denial of service or potential code execution. Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de> [Peter: add description] Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
31 lines
1.1 KiB
Diff
31 lines
1.1 KiB
Diff
From 49653743f69658aeeebdb14faf1ab158f1f2cb20 Mon Sep 17 00:00:00 2001
|
|
From: Lennart Poettering <lennart@poettering.net>
|
|
Date: Fri, 19 Oct 2018 12:12:33 +0200
|
|
Subject: [PATCH] dhcp6: make sure we have enough space for the DHCP6 option
|
|
header
|
|
|
|
Fixes CVE-2018-15688:
|
|
https://security-tracker.debian.org/tracker/CVE-2018-15688
|
|
|
|
Patch downloaded from upstream commit:
|
|
https://github.com/systemd/systemd/commit/49653743f69658aeeebdb14faf1ab158f1f2cb20
|
|
|
|
Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
|
|
---
|
|
src/libsystemd-network/dhcp6-option.c | 2 +-
|
|
1 file changed, 1 insertion(+), 1 deletion(-)
|
|
|
|
diff --git a/src/libsystemd-network/dhcp6-option.c b/src/libsystemd-network/dhcp6-option.c
|
|
index cbd4bc7a2a3..2806415100c 100644
|
|
--- a/src/libsystemd-network/dhcp6-option.c
|
|
+++ b/src/libsystemd-network/dhcp6-option.c
|
|
@@ -106,7 +106,7 @@ int dhcp6_option_append_ia(uint8_t **buf, size_t *buflen, const DHCP6IA *ia) {
|
|
return -EINVAL;
|
|
}
|
|
|
|
- if (*buflen < len)
|
|
+ if (*buflen < offsetof(DHCP6Option, data) + len)
|
|
return -ENOBUFS;
|
|
|
|
ia_hdr = *buf;
|