Skip site navigation (1)Skip section navigation (2) 
Date:      Wed, 2 Sep 2020 16:25:31 +0000 (UTC)
From:      Gordon Tetlow <gordon@FreeBSD.org>
To:        src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-releng@freebsd.org
Subject:   svn commit: r365257 - in releng: 11.3/sbin/dhclient 11.4/sbin/dhclient 12.1/sbin/dhclient
Message-ID:  <202009021625.082GPVEu037104@repo.freebsd.org>
next in thread | raw e-mail | index | archive | help 
Author: gordon
Date: Wed Sep  2 16:25:31 2020
New Revision: 365257
URL: https://svnweb.freebsd.org/changeset/base/365257

Log:
  Fix dhclient heap overflow.
  
  Approved by:	so
  Security:	FreeBSD-SA-20:26.dhclient
  Security:	CVE-2020-7461

Modified:
  releng/11.3/sbin/dhclient/options.c
  releng/11.4/sbin/dhclient/options.c
  releng/12.1/sbin/dhclient/options.c

Modified: releng/11.3/sbin/dhclient/options.c
==============================================================================
--- releng/11.3/sbin/dhclient/options.c	Wed Sep  2 16:24:32 2020	(r365256)
+++ releng/11.3/sbin/dhclient/options.c	Wed Sep  2 16:25:31 2020	(r365257)
@@ -296,6 +296,8 @@ find_search_domain_name_len(struct option_data *option
 
 			pointed_len = find_search_domain_name_len(option,
 			    &pointer);
+			if (pointed_len < 0)
+				return (-1);
 			domain_name_len += pointed_len;
 
 			*offset = i + 2;

Modified: releng/11.4/sbin/dhclient/options.c
==============================================================================
--- releng/11.4/sbin/dhclient/options.c	Wed Sep  2 16:24:32 2020	(r365256)
+++ releng/11.4/sbin/dhclient/options.c	Wed Sep  2 16:25:31 2020	(r365257)
@@ -296,6 +296,8 @@ find_search_domain_name_len(struct option_data *option
 
 			pointed_len = find_search_domain_name_len(option,
 			    &pointer);
+			if (pointed_len < 0)
+				return (-1);
 			domain_name_len += pointed_len;
 
 			*offset = i + 2;

Modified: releng/12.1/sbin/dhclient/options.c
==============================================================================
--- releng/12.1/sbin/dhclient/options.c	Wed Sep  2 16:24:32 2020	(r365256)
+++ releng/12.1/sbin/dhclient/options.c	Wed Sep  2 16:25:31 2020	(r365257)
@@ -298,6 +298,8 @@ find_search_domain_name_len(struct option_data *option
 
 			pointed_len = find_search_domain_name_len(option,
 			    &pointer);
+			if (pointed_len < 0)
+				return (-1);
 			domain_name_len += pointed_len;
 
 			*offset = i + 2;

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?202009021625.082GPVEu037104>