From fd9549c0fb0e1916ca553a1abbeebd48f608955d Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?David=20H=C3=A4rdeman?= <david@hardeman.nu>
Date: Sun, 11 Feb 2024 18:29:15 +0100
Subject: [PATCH] Fix potential integer overflow in parsednssl()
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

optlen is a uint8_t because the length field in the RA header is one octet
(representing the length in units of 8 octets). Later optlen is multiplied by 8
to represent the length in bytes, meaning that the variable can overflow.

Signed-off-by: David Härdeman <david@hardeman.nu>
Signed-off-by: Rémi Denis-Courmont <remi@remlab.net>
---
 src/ndisc.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/ndisc.c b/src/ndisc.c
index 1640794..b190b18 100644
--- a/src/ndisc.c
+++ b/src/ndisc.c
@@ -451,7 +451,7 @@ static int
 parsednssl (const uint8_t *opt)
 {
 	const uint8_t *base;
-	uint8_t optlen = opt[1];
+	uint16_t optlen = opt[1];
 	if (optlen < 2)
 		return -1;
 
-- 
2.34.1