35 lines
1.0 KiB
Diff
35 lines
1.0 KiB
Diff
From fd9549c0fb0e1916ca553a1abbeebd48f608955d Mon Sep 17 00:00:00 2001
|
|
From: =?UTF-8?q?David=20H=C3=A4rdeman?= <david@hardeman.nu>
|
|
Date: Sun, 11 Feb 2024 18:29:15 +0100
|
|
Subject: [PATCH] Fix potential integer overflow in parsednssl()
|
|
MIME-Version: 1.0
|
|
Content-Type: text/plain; charset=UTF-8
|
|
Content-Transfer-Encoding: 8bit
|
|
|
|
optlen is a uint8_t because the length field in the RA header is one octet
|
|
(representing the length in units of 8 octets). Later optlen is multiplied by 8
|
|
to represent the length in bytes, meaning that the variable can overflow.
|
|
|
|
Signed-off-by: David Härdeman <david@hardeman.nu>
|
|
Signed-off-by: Rémi Denis-Courmont <remi@remlab.net>
|
|
---
|
|
src/ndisc.c | 2 +-
|
|
1 file changed, 1 insertion(+), 1 deletion(-)
|
|
|
|
diff --git a/src/ndisc.c b/src/ndisc.c
|
|
index 1640794..b190b18 100644
|
|
--- a/src/ndisc.c
|
|
+++ b/src/ndisc.c
|
|
@@ -451,7 +451,7 @@ static int
|
|
parsednssl (const uint8_t *opt)
|
|
{
|
|
const uint8_t *base;
|
|
- uint8_t optlen = opt[1];
|
|
+ uint16_t optlen = opt[1];
|
|
if (optlen < 2)
|
|
return -1;
|
|
|
|
--
|
|
2.34.1
|
|
|