dhcp.c: improve input validation & length checks

Improve data & structure length validation. Addresses CVE-2020-11752 Thanks to Guido Vranken <guido@guidovranken.com> for the report who requested credit be given to 'ForAllSecure Mayhem'. Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
author: Kevin Darbyshire-Bryant 2020-04-13 08:14:43 +0000
committer: Kevin Darbyshire-Bryant 2020-04-19 20:51:38 +0000
commit: 796da66abd074037f3b48475772d65874cc6de54 (patch)
tree: f8a7e36f34c2205d664c318c403d09bc11c5d248
parent: ad0b25ad74345d367c62311e14b279f5ccb8ef13 (diff)
download: relayd-796da66abd074037f3b48475772d65874cc6de54.tar.gz
1 files changed, 6 insertions, 2 deletions
diff --git a/dhcp.c b/dhcp.c
index aefe34f..4dbdece 100644
--- a/dhcp.c
+++ b/dhcp.c
@@ -88,8 +88,9 @@ parse_dhcp_options(struct relayd_host *host, struct dhcp_header *dhcp, int len)
 	struct dhcp_option *opt = (void *)dhcp->option_data;
 	static const uint8_t dest[4] = { 0, 0, 0, 0 };
 
-	while((uint8_t *) opt < end) {
-		if ((uint8_t *) opt + opt->len > end)
+	while((uint8_t *) opt  + sizeof(*opt) < end) {
+		if ((uint8_t *) opt + opt->len > end ||
+		    (uint8_t *) opt + sizeof(*opt) > end )
 			break;
 
 		opt = (void *) &opt->data[opt->len];
@@ -136,6 +137,9 @@ bool relayd_handle_dhcp_packet(struct relayd_interface *rif, void *data, int len
 	udp = (void *) ((char *) &pkt->iph + (pkt->iph.ihl << 2));
 	dhcp = (void *) (udp + 1);
 
+	if ((uint8_t *)udp + sizeof(*udp) > (uint8_t *)data + len )
+		return false;
+
 	udplen = ntohs(udp->len);
 	if (udplen > len - ((char *) udp - (char *) data))
 		return false;
author	Kevin Darbyshire-Bryant	2020-04-13 08:14:43 +0000
committer	Kevin Darbyshire-Bryant	2020-04-19 20:51:38 +0000
commit	796da66abd074037f3b48475772d65874cc6de54 (patch)
tree	f8a7e36f34c2205d664c318c403d09bc11c5d248
parent	ad0b25ad74345d367c62311e14b279f5ccb8ef13 (diff)
download	relayd-796da66abd074037f3b48475772d65874cc6de54.tar.gz