From a69b13d93c17ac94d93def49d67ea5cbf8b2f863 Mon Sep 17 00:00:00 2001 From: florian Date: Mon, 15 Jun 2026 17:07:34 +0000 Subject: [PATCH] Make sure UDP header length field at least covers the UDP header. We clamp the amount of data we are willing to parse to the length of the UDP packet as indicated by the UDP header length field. While we made sure that the length field did not point past the received data, we never checked if the length is smaller than the udp header. Since we are using BPF, the kernel also does not doe this for us. This might in turn lead to an underflow and a subsequent crash of the engine process. Pointed out and diff provided by Andrew Griffiths, thanks! --- sbin/dhcpleased/engine.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/sbin/dhcpleased/engine.c b/sbin/dhcpleased/engine.c index da1052c59f5..a895f85cc3d 100644 --- a/sbin/dhcpleased/engine.c +++ b/sbin/dhcpleased/engine.c @@ -1,4 +1,4 @@ -/* $OpenBSD: engine.c,v 1.64 2026/05/14 06:09:50 dgl Exp $ */ +/* $OpenBSD: engine.c,v 1.65 2026/06/15 17:07:34 florian Exp $ */ /* * Copyright (c) 2017, 2021 Florian Obser @@ -861,6 +861,9 @@ parse_dhcp(struct dhcpleased_iface *iface, struct imsg_dhcp *dhcp) rem = ntohs(udp->uh_ulen); } + if (rem < sizeof(*udp)) + goto too_short; + p += sizeof(*udp); rem -= sizeof(*udp);