svn commit: r365257 - in releng: 11.3/sbin/dhclient 11.4/sbin/dhclient 12.1/sbin/dhclient
Gordon Tetlow
gordon at FreeBSD.org
Wed Sep 2 16:25:32 UTC 2020
Author: gordon
Date: Wed Sep 2 16:25:31 2020
New Revision: 365257
URL: https://svnweb.freebsd.org/changeset/base/365257
Log:
Fix dhclient heap overflow.
Approved by: so
Security: FreeBSD-SA-20:26.dhclient
Security: CVE-2020-7461
Modified:
releng/11.3/sbin/dhclient/options.c
releng/11.4/sbin/dhclient/options.c
releng/12.1/sbin/dhclient/options.c
Modified: releng/11.3/sbin/dhclient/options.c
==============================================================================
--- releng/11.3/sbin/dhclient/options.c Wed Sep 2 16:24:32 2020 (r365256)
+++ releng/11.3/sbin/dhclient/options.c Wed Sep 2 16:25:31 2020 (r365257)
@@ -296,6 +296,8 @@ find_search_domain_name_len(struct option_data *option
pointed_len = find_search_domain_name_len(option,
&pointer);
+ if (pointed_len < 0)
+ return (-1);
domain_name_len += pointed_len;
*offset = i + 2;
Modified: releng/11.4/sbin/dhclient/options.c
==============================================================================
--- releng/11.4/sbin/dhclient/options.c Wed Sep 2 16:24:32 2020 (r365256)
+++ releng/11.4/sbin/dhclient/options.c Wed Sep 2 16:25:31 2020 (r365257)
@@ -296,6 +296,8 @@ find_search_domain_name_len(struct option_data *option
pointed_len = find_search_domain_name_len(option,
&pointer);
+ if (pointed_len < 0)
+ return (-1);
domain_name_len += pointed_len;
*offset = i + 2;
Modified: releng/12.1/sbin/dhclient/options.c
==============================================================================
--- releng/12.1/sbin/dhclient/options.c Wed Sep 2 16:24:32 2020 (r365256)
+++ releng/12.1/sbin/dhclient/options.c Wed Sep 2 16:25:31 2020 (r365257)
@@ -298,6 +298,8 @@ find_search_domain_name_len(struct option_data *option
pointed_len = find_search_domain_name_len(option,
&pointer);
+ if (pointed_len < 0)
+ return (-1);
domain_name_len += pointed_len;
*offset = i + 2;
More information about the svn-src-releng
mailing list