[Bug 11506] Out of bounds read in udhcp_get_option()
bugzilla at busybox.net
bugzilla at busybox.net
Fri Jan 4 19:56:25 UTC 2019
https://bugs.busybox.net/show_bug.cgi?id=11506
--- Comment #4 from Krishna Ram Prakash R <krp at gtux.in> ---
I was originally talking about the exporting of unknown options which on closer
look, I realize it is not an issue and cannot lead to out-of-bounds read as
only the required memory is allocated according to the specified length and is
null terminated.
But, I also noted that in fill_envp(), subnet option is fetched and stored
without making sure that the length is of 4 bytes. Shouldn't we also check if
the length is 4 if code == DHCP_SUBNET before calling move_from_unaligned()?
531 temp = udhcp_get_option(packet, code);
532 *curr = xmalloc_optname_optval(temp, &dhcp_optflags[i], opt_name);
533 putenv(*curr++);
534 if (code == DHCP_SUBNET) {
535 /* Subnet option: make things like "$ip/$mask" possible */
536 uint32_t subnet;
537 move_from_unaligned32(subnet, temp);
538 *curr = xasprintf("mask=%u", mton(subnet));
Thanks!
--
You are receiving this mail because:
You are on the CC list for the bug.
More information about the busybox-cvs
mailing list