Overview

File CVE-2017-11434-qemuu-slirp-out-of-bounds-read-while-parsing-dhcp-options.patch of Package xen.11298

While parsing dhcp options string in 'dhcp_decode', if an options'
length 'len' appeared towards the end of 'bp_vend' array, ensuing
read could lead to an OOB memory access issue. Add check to avoid it.

Reported-by: Reno Robert <address@hidden>
Signed-off-by: Prasad J Pandit <address@hidden>
---
 slirp/bootp.c | 3 +++
 1 file changed, 3 insertions(+)

Index: xen-4.5.5-testing/tools/qemu-xen-dir-remote/slirp/bootp.c
===================================================================
--- xen-4.5.5-testing.orig/tools/qemu-xen-dir-remote/slirp/bootp.c
+++ xen-4.5.5-testing/tools/qemu-xen-dir-remote/slirp/bootp.c
@@ -116,6 +116,9 @@ static void dhcp_decode(const struct boo
             if (p >= p_end)
                 break;
             len = *p++;
+            if (p + len > p_end) {
+                break;
+            }
             DPRINTF("dhcp: tag=%d len=%d\n", tag, len);
 
             switch(tag) {
openSUSE Build Service is sponsored by
Places