[Bug 11506] Out of bounds read in udhcp_get_option()

bugzilla at busybox.net bugzilla at busybox.net
Wed Jan 2 13:34:55 UTC 2019


https://bugs.busybox.net/show_bug.cgi?id=11506

--- Comment #3 from Denys Vlasenko <vda.linux at googlemail.com> ---
(In reply to Krishna Ram Prakash R from comment #2)
> fill_envp() function in dhcpc.c makes calls to udhcp_get_option() in a loop.
> So, it is not possible to check for the exact length parsed for specific options.
> So, any options used after fill_envp() parsing may again lead to out of bounds read in client side. Any thoughts about that?

You need to point out the specific code path where length is not checked. I
looked at the code and so far I don't see it.

-- 
You are receiving this mail because:
You are on the CC list for the bug.


More information about the busybox-cvs mailing list