| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue, 1 May 2012 10:01:00 +0200 From: Antonio Quartulli <ordex@...istici.org> To: davem@...emloft.net Cc: netdev@...r.kernel.org, b.a.t.m.a.n@...ts.open-mesh.org, Antonio Quartulli <ordex@...istici.org> Subject: [PATCH 1/7] batman-adv: fix wrong dhcp option list browsing In is_type_dhcprequest(), while parsing a DHCP message, if the entry we found in the option list is neither a padding nor the dhcp-type, we have to ignore it and jump as many bytes as its length + 1. The "+ 1" byte is given by the subtype field itself that has to be jumped too. Reported-by: Marek Lindner <lindner_marek@...oo.de> Signed-off-by: Antonio Quartulli <ordex@...istici.org> --- net/batman-adv/gateway_client.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/net/batman-adv/gateway_client.c b/net/batman-adv/gateway_client.c index 6f9b9b7..47f7186 100644 --- a/net/batman-adv/gateway_client.c +++ b/net/batman-adv/gateway_client.c @@ -558,10 +558,10 @@ static bool is_type_dhcprequest(struct sk_buff *skb, int header_len) p++; /* ...and then we jump over the data */ - if (pkt_len < *p) + if (pkt_len < 1 + (*p)) goto out; - pkt_len -= *p; - p += (*p); + pkt_len -= 1 + (*p); + p += 1 + (*p); } } out: -- 1.7.9.4 -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Powered by blists - more mailing lists