openbsd/src
1
0
Fork 0
mirror of https://github.com/openbsd/src.git synced 2026-06-17 23:03:29 +02:00
Code Activity

Make sure UDP header length field at least covers the UDP header.

Browse Source 
We clamp the amount of data we are willing to parse to the length of
the UDP packet as indicated by the UDP header length field. While we
made sure that the length field did not point past the received data,
we never checked if the length is smaller than the udp header. Since
we are using BPF, the kernel also does not doe this for us. This might
in turn lead to an underflow and a subsequent crash of the engine
process.

Pointed out and diff provided by Andrew Griffiths, thanks!
This commit is contained in:
florian
2026-06-15 17:07:34 +00:00
parent 071960dc61
commit a69b13d93c
1 changed files with 4 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files
sbin/dhcpleased/engine.c
+4 -1
View File
@@ -1,4 +1,4 @@
/* $OpenBSD: engine.c,v 1.64 2026/05/14 06:09:50 dgl Exp $ */
/* $OpenBSD: engine.c,v 1.65 2026/06/15 17:07:34 florian Exp $ */
/*
* Copyright (c) 2017, 2021 Florian Obser <florian@openbsd.org>
@@ -861,6 +861,9 @@ parse_dhcp(struct dhcpleased_iface *iface, struct imsg_dhcp *dhcp)
rem = ntohs(udp->uh_ulen);
}
if (rem < sizeof(*udp))
goto too_short;
p += sizeof(*udp);
rem -= sizeof(*udp);