aboutsummaryrefslogtreecommitdiff
path: root/package/dhcp/0004-Corrected-refcnt-loss-in-option-parsing.patch
blob: c79bbc7f82193a355a475c62d736fe181c17a4c7 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
From 93b5b67dd31b9efcbfaabc2df1e1d9d164a5e04a Mon Sep 17 00:00:00 2001
From: Thomas Markwalder <tmark@isc.org>
Date: Fri, 9 Feb 2018 14:46:08 -0500
Subject: [PATCH 2/2] Corrected refcnt loss in option parsing

    Merges in 47140.

[baruch: drop RELNOTES and tests; address CVE-2018-5733]
Signed-off-by: Baruch Siach <baruch@tkos.co.il>
---
Upstream status: backported from commit 197b26f25309
---
 common/options.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/common/options.c b/common/options.c
index 2ed6b16c6412..25b29a6be7bb 100644
--- a/common/options.c
+++ b/common/options.c
@@ -3,7 +3,7 @@
    DHCP options parsing and reassembly. */
 
 /*
- * Copyright (c) 2004-2017 by Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (c) 2004-2018 by Internet Systems Consortium, Inc. ("ISC")
  * Copyright (c) 1995-2003 by Internet Software Consortium
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -177,6 +177,8 @@ int parse_option_buffer (options, buffer, length, universe)
 
 		/* If the length is outrageous, the options are bad. */
 		if (offset + len > length) {
+			/* Avoid reference count overflow */
+			option_dereference(&option, MDL);
 			reason = "option length exceeds option buffer length";
 		      bogus:
 			log_error("parse_option_buffer: malformed option "
-- 
2.16.1