[Bug 11506] Out of bounds read in udhcp_get_option()

bugzilla at busybox.net bugzilla at busybox.net
Tue Dec 18 18:15:30 UTC 2018


https://bugs.busybox.net/show_bug.cgi?id=11506

--- Comment #2 from KRP <krp at gtux.in> ---
fill_envp() function in dhcpc.c makes calls to udhcp_get_option() in a loop.
So, it is not possible to check for the exact length parsed for specific
options. So, any options used after fill_envp() parsing may again lead to out
of bounds read in client side. Any thoughts about that?

-- 
You are receiving this mail because:
You are on the CC list for the bug.


More information about the busybox-cvs mailing list