From: Ben Hutchings <ben@decadent.org.uk>
Date: Thu, 28 Jan 2016 01:28:32 +0000 (+0000)
Subject: Check for unsupported PD exclusion configuration in dhcpv6_parse_ia
X-Git-Tag: debian/1.1+git20160131-1~8^2~2
X-Git-Url: https://git.decadent.org.uk/gitweb/?p=odhcp6c.git;a=commitdiff_plain;h=abe9d1b0739857f4a0d25005f9f0523153a6fe23

Check for unsupported PD exclusion configuration in dhcpv6_parse_ia

We currently only support PD exclusions that only affect bits 64-95 of
the address, so we require:

    32 <= PD prefix length < exclusion prefix length <= 64

The first inequality was not validated, and this could result in a
buffer overflow when generating the next request message.

Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---

diff --git a/src/dhcpv6.c b/src/dhcpv6.c
index c2a3e3d..2d8124f 100644
--- a/src/dhcpv6.c
+++ b/src/dhcpv6.c
@@ -1185,7 +1185,7 @@ static int dhcpv6_parse_ia(void *opt, void *end)
 				if (elen > 64)
 					elen = 64;
 
-				if (elen <= 32 || elen <= entry.length) {
+				if (entry.length < 32 || elen <= entry.length) {
 					ok = false;
 					continue;
 				}