diff options
author | Thomas Markwalder <tmark@isc.org> | 2022-08-04 14:11:08 -0400 |
---|---|---|
committer | Thomas Markwalder <tmark@isc.org> | 2022-09-01 07:16:12 -0400 |
commit | c887ef3f31a3c96208028cc818b839d389bbf0cb (patch) | |
tree | 87977c81289fc946d1bc3e4bc04a8979ce6650ef | |
parent | b5d1f6f097faf828dea735b30b4bdc589f06b9be (diff) | |
download | isc-dhcp-c887ef3f31a3c96208028cc818b839d389bbf0cb.tar.gz |
[#254] Fixed memory leak in FQDN unpacking
RELNOTES
Added a release note
common/options.c
fqdn_universe_decode() - replace returns with
gotos to ensure memory is freed on label length
errors
-rw-r--r-- | RELNOTES | 31 | ||||
-rw-r--r-- | common/options.c | 8 |
2 files changed, 22 insertions, 17 deletions
@@ -74,19 +74,24 @@ dhcp-users@lists.isc.org. Changes since 4.1-ESV-R16-P1 - ! Corrected a reference count leak that occurs when the server builds - responses to leasequery packets. Thanks to VictorV of Cyber Kunlun - Lab for reporting the issue. - [Gitblab #253] - CVE: CVS-2022-2928 - - Change1 since 4.1-ESV-R16 - - ! Corrected a buffer overwrite possible when parsing hexadecimal - literals with more than 1024 octets. Reported by Jon Franklin from Dell, - and also by Pawel Wieczorkiewicz from Amazon Web Services. - [Gitlab #182] - CVE: CVE-2021-25217 +! Corrected a reference count leak that occurs when the server builds + responses to leasequery packets. Thanks to VictorV of Cyber Kunlun + Lab for reporting the issue. + [Gitblab #253] + CVE: CVS-2022-2928 + +! Corrected a memory leak that occurs when unpacking a packet that has an + FQDN option (81) that contains a label whose lenght is greater than 63. + [Gitblab #254] + CVE: CVS-2022-2929 + + Changes since 4.1-ESV-R16 + +! Corrected a buffer overwrite possible when parsing hexadecimal + literals with more than 1024 octets. Reported by Jon Franklin from Dell, + and also by Pawel Wieczorkiewicz from Amazon Web Services. + [Gitlab #182] + CVE: CVE-2021-25217 Changes since 4.1-ESV-R16b1 diff --git a/common/options.c b/common/options.c index df591cbb..035ec64c 100644 --- a/common/options.c +++ b/common/options.c @@ -447,16 +447,16 @@ int fqdn_universe_decode (struct option_state *options, while (s < &bp -> data[0] + length + 2) { len = *s; if (len > 63) { - log_info ("fancy bits in fqdn option"); - return 0; + log_info ("label length exceeds 63 in fqdn option"); + goto bad; } if (len == 0) { terminated = 1; break; } if (s + len > &bp -> data [0] + length + 3) { - log_info ("fqdn tag longer than buffer"); - return 0; + log_info ("fqdn label longer than buffer"); + goto bad; } if (first_len == 0) { |