From b51ee7ac252cb09a4e931cac86604231c5f5f089 Mon Sep 17 00:00:00 2001 From: Hans Petter Selasky Date: Mon, 14 Nov 2022 15:20:09 +0100 Subject: [PATCH] dhclient(8): Verify lease-, renewal- and rebinding-time option sizes. Else out-of-bound reads and undefined behaviour may happen. The current code only checked for the presence of the first of four bytes. Make sure the fields in question have the minium size required. No functional change intended. Reviewed by: rrs@ Sponsored by: NVIDIA Networking (cherry picked from commit 3492caf512ae090816b4ffa275be43b2f5cfc460) --- sbin/dhclient/dhclient.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/sbin/dhclient/dhclient.c b/sbin/dhclient/dhclient.c index a1628f0ee22..da9a567fad0 100644 --- a/sbin/dhclient/dhclient.c +++ b/sbin/dhclient/dhclient.c @@ -798,7 +798,7 @@ dhcpack(struct packet *packet) ACTION_SUPERSEDE) ip->client->new->expiry = getULong( ip->client->config->defaults[DHO_DHCP_LEASE_TIME].data); - else if (ip->client->new->options[DHO_DHCP_LEASE_TIME].data) + else if (ip->client->new->options[DHO_DHCP_LEASE_TIME].len >= 4) ip->client->new->expiry = getULong( ip->client->new->options[DHO_DHCP_LEASE_TIME].data); else @@ -821,7 +821,7 @@ dhcpack(struct packet *packet) ACTION_SUPERSEDE) ip->client->new->renewal = getULong( ip->client->config->defaults[DHO_DHCP_RENEWAL_TIME].data); - else if (ip->client->new->options[DHO_DHCP_RENEWAL_TIME].len) + else if (ip->client->new->options[DHO_DHCP_RENEWAL_TIME].len >= 4) ip->client->new->renewal = getULong( ip->client->new->options[DHO_DHCP_RENEWAL_TIME].data); else @@ -835,7 +835,7 @@ dhcpack(struct packet *packet) ACTION_SUPERSEDE) ip->client->new->rebind = getULong( ip->client->config->defaults[DHO_DHCP_REBINDING_TIME].data); - else if (ip->client->new->options[DHO_DHCP_REBINDING_TIME].len) + else if (ip->client->new->options[DHO_DHCP_REBINDING_TIME].len >= 4) ip->client->new->rebind = getULong( ip->client->new->options[DHO_DHCP_REBINDING_TIME].data); else