From: Lennart Poettering <lennart@poettering.net>
Date: Fri, 19 Oct 2018 10:12:33 +0000 (+0200)
Subject: dhcp6: make sure we have enough space for the DHCP6 option header
X-Git-Tag: archive/raspbian/239-13+rpi1^2~32
X-Git-Url: https://dgit.raspbian.org/?a=commitdiff_plain;h=9cc05c2437d7f3495b9153f70cd38f0965c23c54;p=systemd.git

dhcp6: make sure we have enough space for the DHCP6 option header

Fixes a vulnerability originally discovered by Felix Wilhelm from
Google.

CVE-2018-15688
LP: #1795921
https://bugzilla.redhat.com/show_bug.cgi?id=1639067

(cherry picked from commit 4dac5eaba4e419b29c97da38a8b1f82336c2c892)

Gbp-Pq: Name dhcp6-make-sure-we-have-enough-space-for-the-DHCP6-option.patch
---

diff --git a/src/libsystemd-network/dhcp6-option.c b/src/libsystemd-network/dhcp6-option.c
index 18196b12..09794972 100644
--- a/src/libsystemd-network/dhcp6-option.c
+++ b/src/libsystemd-network/dhcp6-option.c
@@ -103,7 +103,7 @@ int dhcp6_option_append_ia(uint8_t **buf, size_t *buflen, DHCP6IA *ia) {
                 return -EINVAL;
         }
 
-        if (*buflen < len)
+        if (*buflen < offsetof(DHCP6Option, data) + len)
                 return -ENOBUFS;
 
         ia_hdr = *buf;