File 19a18bf7_port.patch of Package freeradius-server.14503

commit 19a18bf7c8af649c9e9742fb6a046f6aff639866
Author: Alan T. DeKok <aland@freeradius.org>
Date:   Mon Jul 3 15:42:35 2017 -0400

    FR-GV-304 - check for option overflowing the packet

Index: freeradius-server-3.0.3/src/modules/proto_dhcp/dhcp.c
===================================================================
--- freeradius-server-3.0.3.orig/src/modules/proto_dhcp/dhcp.c
+++ freeradius-server-3.0.3/src/modules/proto_dhcp/dhcp.c
@@ -486,6 +486,24 @@ static int decode_tlv(RADIUS_PACKET *pac
 
 	p = data;
 	while (p < (data + data_len)) {
+		/*
+		 *      Not enough room for the option header, it's a
+		 *      bad packet.
+		 */
+		if ((p + 2) > (data + data_len)) {
+			pairfree(&head);
+			goto make_tlv;
+		}
+
+		/*
+		 *      Not enough room for the option header + data,
+		 *      it's a bad packet.
+		 */
+		if ((p + 2 + p[1]) > (data + data_len)) {
+			pairfree(&head);
+			goto make_tlv;
+		}
+
 		vp = paircreate(packet, tlv->da->attr | (p[0] << 8), DHCP_MAGIC_VENDOR);
 		if (!vp) {
 			pairfree(&head);

Places

File 19a18bf7_port.patch of Package freeradius-server.14503

Places