Commit ba83251b authored by Thomas Haller's avatar Thomas Haller

systemd: merge branch 'CVE-2018-15688' into nm-1-14

parents 2c6fafad fc230dca
Pipeline #7070 passed with stage
in 12 minutes and 11 seconds
......@@ -105,7 +105,7 @@ int dhcp6_option_append_ia(uint8_t **buf, size_t *buflen, DHCP6IA *ia) {
return -EINVAL;
}
if (*buflen < len)
if (*buflen < offsetof(DHCP6Option, data) + len)
return -ENOBUFS;
ia_hdr = *buf;
......@@ -465,13 +465,15 @@ int dhcp6_option_parse_ia(DHCP6Option *iaoption, DHCP6IA *ia) {
case SD_DHCP6_OPTION_STATUS_CODE:
status = dhcp6_option_parse_status(option, optlen);
if (status) {
status = dhcp6_option_parse_status(option, optlen + sizeof(DHCP6Option));
if (status < 0) {
r = status;
goto error;
}
if (status > 0) {
log_dhcp6_client(client, "IA status %d",
status);
dhcp6_lease_free_ia(ia);
r = -EINVAL;
goto error;
}
......@@ -553,6 +555,7 @@ int dhcp6_option_parse_domainname(const uint8_t *optval, uint16_t optlen, char *
bool first = true;
for (;;) {
const char *label;
uint8_t c;
c = optval[pos++];
......@@ -560,47 +563,41 @@ int dhcp6_option_parse_domainname(const uint8_t *optval, uint16_t optlen, char *
if (c == 0)
/* End of name */
break;
else if (c <= 63) {
const char *label;
/* Literal label */
label = (const char *)&optval[pos];
pos += c;
if (pos >= optlen)
return -EMSGSIZE;
if (!GREEDY_REALLOC(ret, allocated, n + !first + DNS_LABEL_ESCAPED_MAX)) {
r = -ENOMEM;
goto fail;
}
if (first)
first = false;
else
ret[n++] = '.';
r = dns_label_escape(label, c, ret + n, DNS_LABEL_ESCAPED_MAX);
if (r < 0)
goto fail;
n += r;
continue;
} else {
r = -EBADMSG;
goto fail;
}
}
if (c > 63)
return -EBADMSG;
/* Literal label */
label = (const char *)&optval[pos];
pos += c;
if (pos >= optlen)
return -EMSGSIZE;
if (!GREEDY_REALLOC(ret, allocated, n + !first + DNS_LABEL_ESCAPED_MAX))
return -ENOMEM;
if (first)
first = false;
else
ret[n++] = '.';
if (!GREEDY_REALLOC(ret, allocated, n + 1)) {
r = -ENOMEM;
goto fail;
r = dns_label_escape(label, c, ret + n, DNS_LABEL_ESCAPED_MAX);
if (r < 0)
return r;
n += r;
}
if (n == 0)
continue;
if (!GREEDY_REALLOC(ret, allocated, n + 1))
return -ENOMEM;
ret[n] = 0;
r = strv_extend(&names, ret);
if (r < 0)
goto fail;
return r;
idx++;
}
......@@ -608,7 +605,4 @@ int dhcp6_option_parse_domainname(const uint8_t *optval, uint16_t optlen, char *
*str_arr = TAKE_PTR(names);
return idx;
fail:
return r;
}
......@@ -1688,6 +1688,8 @@ static int client_handle_message(sd_dhcp_client *client, DHCPMessage *message, i
client->timeout_resend =
sd_event_source_unref(client->timeout_resend);
client_notify(client, SD_DHCP_CLIENT_EVENT_EXPIRED);
r = client_initialize(client);
if (r < 0)
goto error;
......
......@@ -279,6 +279,8 @@ sd_dhcp_lease *sd_dhcp_lease_unref(sd_dhcp_lease *lease) {
free(option);
}
free(lease->root_path);
free(lease->timezone);
free(lease->hostname);
free(lease->domainname);
free(lease->dns);
......
......@@ -818,8 +818,8 @@ static int client_parse_message(
uint8_t *optval;
be32_t iaid_lease;
if (len < offsetof(DHCP6Option, data) ||
len < offsetof(DHCP6Option, data) + be16toh(option->len))
if (len < pos + offsetof(DHCP6Option, data) ||
len < pos + offsetof(DHCP6Option, data) + be16toh(option->len))
return -ENOBUFS;
optcode = be16toh(option->code);
......@@ -870,13 +870,14 @@ static int client_parse_message(
break;
case SD_DHCP6_OPTION_STATUS_CODE:
status = dhcp6_option_parse_status(option, optlen);
if (status) {
status = dhcp6_option_parse_status(option, optlen + sizeof(DHCP6Option));
if (status < 0)
return status;
if (status > 0) {
log_dhcp6_client(client, "%s Status %s",
dhcp6_message_type_to_string(message->type),
dhcp6_message_status_to_string(status));
dhcp6_lease_free_ia(&lease->ia);
dhcp6_lease_free_ia(&lease->pd);
return -EINVAL;
}
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment